Joseph Thacker

Hopefully this fixes #155 codex wrote this. we need to review it.

## Summary - ensure HTTPS responses expose a Strict-Transport-Security header - flag missing headers, weak max-age values, and absent includeSubDomains - register the passive check and enable it in the...

## Summary - only evaluate HTTPS responses and search for http:// references in HTML/CSS - raise medium severity findings for each insecure attribute or CSS url() - register the passive...

## Summary - parse JSON and YAML responses for OpenAPI/Swagger metadata - raise a medium finding when definitions are discovered, including detected version - register the passive check and enable...

## Summary - flag password inputs that omit autocomplete protections or explicitly enable it - report low-severity findings with the field index and attribute value - register the passive check...

## Summary - detect stylesheet links and @import rules that use path-relative targets - report a low severity issue listing the offending paths - register the check and enable it...

## Summary - scan response bodies and Location headers for URLs carrying password-like query parameters - raise a high-severity finding listing affected parameter names and lengths - register the passive...

## Summary - send TRACE probe with custom marker header and detect echo responses - raise medium finding when server returns 200 and reflects the header - expose new check...

codex code for #24

Hopefully this fixes #154 codex wrote this. we need to review it.