HTTP 安全响应头检测
检查 HTTP 安全响应头,并查看推荐配置。
跟随重定向
- 安全
- 结果不会被保存或公开。
说明
Security headers are HTTP response headers that help mitigate attacks that exploit web vulnerabilities such as cross-site scripting (XSS) and clickjacking.
With this tool, you can diagnose whether common security headers are set and whether the directives are configured correctly by simply entering a target URL.
| Header | Recommended value / Example | Description |
|---|---|---|
| Strict-Transport-Security (HSTS) | max-age=31536000 | Instructs the browser to communicate over HTTPS.31536000 specifies the duration (in seconds) that the browser remembers to use HTTPS. |
| Content-Security-Policy (CSP) | default-src 'self' example.com | Helps mitigate attacks such as cross-site scripting (XSS). By allowing trusted external domains, you can permit content from those domains. |
| X-Frame-Options | SAMEORIGIN | Controls whether the page can be displayed within iframeembedobject elements.DENY or SAMEORIGIN helps protect against clickjacking. |
| X-Content-Type-Options | nosniff | Forces the browser to follow the MIME type specified in Content-Type.nosniff helps prevent MIME sniffing. |
| referrer-policy | no-referrer | Controls how much referrer information is included in requests.no-referrer, no referrer information is sent. |
| Permissions-Policy | camera=() microphone=() | Controls which browser features are allowed within the page. For example, camera=() disables camera access via MediaDevices on that page. |
This tool does not check non-standard or deprecated headers such as X-XSS-Protection.
Even for supported headers, it shows warnings when it detects deprecated or unsafe directives.