Burp Suite Extension
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


The Burp extension custom_http_header.py serves as a template to make sure that a custom HTTP security header, being added by the client itself, is always having the correct value when manipulating parameters in the HTTP request or doing Active scans.

Within the Python code I have added comments (# TODO) that should help you in customising the Python code to fit the web application you are testing.

The blog related to this extension can be found at: https://www.mbsecure.nl/blog/2018/7/bypass-client-side-generated-http-security-headers


The Burp extension requires Jython.

  1. Download the standalone Jython version 2.7.0: http://www.jython.org/downloads.html
  2. Configure Burp to point to the location of Jython by going to the “Extension” tab and navigate to the “Options” sub-tab: Configure Jython
  3. Within the same tab (“Extensions”) go to the sub-tab “Extension” and Add the extension custom_http_header.py. Load the extension
  • If you do not get any errors while loading, everything is ok. Otherwise fix your code and reload the extension (uncheck and check).