🛠️ToolsShed

HTTPセキュリティヘッダーリファレンス

HTTPセキュリティヘッダーリファレンスとチェッカー — CSP、HSTS、X-Frame-Options、CORSなど。

Content-Security-Policy

csp

Prevents XSS attacks by controlling which resources the browser is allowed to load.

推奨値: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;

なしの場合のセキュリティリスク: Cross-site scripting (XSS) attacks

Content-Security-Policy: default-src 'self'

Strict-Transport-Security

transport

Forces HTTPS connections and prevents SSL stripping attacks.

推奨値: max-age=31536000; includeSubDomains; preload

なしの場合のセキュリティリスク: Man-in-the-middle attacks, SSL stripping

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Frame-Options

clickjacking

Prevents the page from being displayed in a frame/iframe to protect against clickjacking.

推奨値: DENY or SAMEORIGIN

なしの場合のセキュリティリスク: Clickjacking attacks

X-Frame-Options: DENY

X-Content-Type-Options

csp

Prevents MIME type sniffing which can lead to security vulnerabilities.

推奨値: nosniff

なしの場合のセキュリティリスク: MIME confusion attacks

X-Content-Type-Options: nosniff

Referrer-Policy

csp

Controls how much referrer information is included in requests.

推奨値: strict-origin-when-cross-origin

なしの場合のセキュリティリスク: Information leakage via Referer header

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

csp

Controls which browser features and APIs can be used in the browser.

推奨値: camera=(), microphone=(), geolocation=(self)

なしの場合のセキュリティリスク: Unauthorized access to browser APIs

Permissions-Policy: camera=(), microphone=()

Access-Control-Allow-Origin

cors

Specifies which origins can access the resource.

推奨値: Specific origin or same-origin only — avoid wildcard (*) for authenticated resources

なしの場合のセキュリティリスク: Cross-origin data access

Access-Control-Allow-Origin: https://example.com

Access-Control-Allow-Methods

cors

Specifies the HTTP methods allowed for cross-origin requests.

推奨値: GET, POST, PUT, DELETE (only what is needed)

なしの場合のセキュリティリスク: Unauthorized HTTP methods via CORS

Access-Control-Allow-Methods: GET, POST

Cache-Control

cache

Controls how responses are cached by browsers and proxies.

推奨値: no-store, no-cache (for sensitive data); max-age=31536000 (for static assets)

なしの場合のセキュリティリスク: Sensitive data cached and exposed

Cache-Control: no-store, no-cache, must-revalidate

Cross-Origin-Resource-Policy

cors

Prevents other origins from reading the response of this resource.

推奨値: same-origin or same-site

なしの場合のセキュリティリスク: Cross-origin information leakage

Cross-Origin-Resource-Policy: same-origin

Cross-Origin-Opener-Policy

cors

Allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.

推奨値: same-origin

なしの場合のセキュリティリスク: Cross-origin attacks via shared browsing context

Cross-Origin-Opener-Policy: same-origin

X-XSS-Protection

csp

Legacy header — enables the browser's built-in XSS filter. Mostly superseded by CSP.

推奨値: 1; mode=block (legacy) or omit in favor of CSP

なしの場合のセキュリティリスク: XSS attacks in older browsers without CSP

X-XSS-Protection: 1; mode=block

ヘッダーチェッカー

HTTPレスポンスヘッダーを貼り付けて確認

よくある質問

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.