This is beautiful! I need integrate this into our pre-production environments like yesterday! I have long wanted something like this; some of our internal APIs abuse HTTP response codes and one of our mobile app sends an invalid User-Agent string. Pointing folks at the relevant standards passages and trying to explain what they're doing wrong, and why it affects other real-world applications seems to get acknowledgement, but often no change because by the time we've caught it, it is out in the wild.

The report format is beautiful too — I love that hovering highlights the relevant portions of the request, and thank you for the explain link; I loathe linters that offer no rationale.

Also, I love that the example taught me something too; I did not know some of these.

Also, very interesting that one of your examples is the Pragma header. I did not know that it was defined for requests only (and your explain link explains its rationale clearly enough that I now agree with it). I just implemented an OAuth client, and that standard requires it on responses:

> The authorization server MUST include the HTTP "Cache-Control" response header field [RFC2616] with a value of "no-store" in any response containing tokens, credentials, or other sensitive information, as well as the "Pragma" response header field [RFC2616] with a value of "no-cache".

The very RFC it cites even notes that this is unspecified!