HTTP 安全回應標頭檢查
檢查 HTTP 安全回應標頭並查看建議設定。
跟隨重新導向
- 安全
- 結果不會被儲存或公開。
說明
Security headers are HTTP response headers that help mitigate attacks that exploit web vulnerabilities such as cross-site scripting (XSS) and clickjacking.
With this tool, you can diagnose whether common security headers are set and whether the directives are configured correctly by simply entering a target URL.
| Header | Recommended value / Example | Description |
|---|---|---|
| Strict-Transport-Security (HSTS) | max-age=31536000 | Instructs the browser to communicate over HTTPS.31536000 specifies the duration (in seconds) that the browser remembers to use HTTPS. |
| Content-Security-Policy (CSP) | default-src 'self' example.com | Helps mitigate attacks such as cross-site scripting (XSS). By allowing trusted external domains, you can permit content from those domains. |
| X-Frame-Options | SAMEORIGIN | Controls whether the page can be displayed within iframeembedobject elements.DENY or SAMEORIGIN helps protect against clickjacking. |
| X-Content-Type-Options | nosniff | Forces the browser to follow the MIME type specified in Content-Type.nosniff helps prevent MIME sniffing. |
| referrer-policy | no-referrer | Controls how much referrer information is included in requests.no-referrer, no referrer information is sent. |
| Permissions-Policy | camera=() microphone=() | Controls which browser features are allowed within the page. For example, camera=() disables camera access via MediaDevices on that page. |
This tool does not check non-standard or deprecated headers such as X-XSS-Protection.
Even for supported headers, it shows warnings when it detects deprecated or unsafe directives.