"Do you even lift, bro?" - Your web server, probably.
FitCheck is a Burp Suite extension that judges your target's security headers like a gym bro judges your form. It checks for the presence of common security headers and lets you know what's missing so you can screenshot it and put it in your report.
- Header Analysis: Checks for HSTS, CSP, X-Frame-Options, and more.
- Visual Dashboard: Green for "Good job", Red for "Do better".
- Screenshot Friendly: Big fonts, clear colors. Perfect for padding out that PDF.
| Requirement | Version | Notes |
|---|---|---|
| JDK | 21+ | Required to compile the extension |
| Burp Suite | 2023.12+ | Professional or Community — must support the Montoya API |
Note: You do not need to install Gradle — the project ships with the Gradle Wrapper (
gradlew), which downloads the correct version automatically.
Option A — Homebrew:
brew install openjdk@21After installing, follow the on-screen instructions to add it to your PATH, or run:
sudo ln -sfn $(brew --prefix openjdk@21)/libexec/openjdk.jdk /Library/Java/JavaVirtualMachines/openjdk-21.jdkOption B — SDKMAN:
curl -s "https://get.sdkman.io" | bash
sdk install java 21-temVerify your installation:
java -version
# Should show 21.x.x or higher# Make the Gradle wrapper executable (first time only)
chmod +x gradlew
# Build the extension JAR
./gradlew jarThe output JAR will be at build/libs/FitCheck-1.0-SNAPSHOT.jar.
- Open Burp Suite.
- Go to Extensions → Add.
- Set extension type to Java, then select the built JAR.
- Navigate to the FitCheck tab.
- Click Refresh Targets to populate the target dropdown from your Proxy history.
- Select a target and click Analyze.
- Witness the judgment.
MIT. Do whatever.