🛠️ToolsShed

HTTP 보안 헤더 레퍼런스

HTTP 보안 헤더 레퍼런스 및 검사기 — CSP, HSTS, X-Frame-Options, CORS 등.

Content-Security-Policy

csp

Prevents XSS attacks by controlling which resources the browser is allowed to load.

권장 값: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;

없을 때 보안 위험: Cross-site scripting (XSS) attacks

Content-Security-Policy: default-src 'self'

Strict-Transport-Security

transport

Forces HTTPS connections and prevents SSL stripping attacks.

권장 값: max-age=31536000; includeSubDomains; preload

없을 때 보안 위험: Man-in-the-middle attacks, SSL stripping

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Frame-Options

clickjacking

Prevents the page from being displayed in a frame/iframe to protect against clickjacking.

권장 값: DENY or SAMEORIGIN

없을 때 보안 위험: Clickjacking attacks

X-Frame-Options: DENY

X-Content-Type-Options

csp

Prevents MIME type sniffing which can lead to security vulnerabilities.

권장 값: nosniff

없을 때 보안 위험: MIME confusion attacks

X-Content-Type-Options: nosniff

Referrer-Policy

csp

Controls how much referrer information is included in requests.

권장 값: strict-origin-when-cross-origin

없을 때 보안 위험: Information leakage via Referer header

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

csp

Controls which browser features and APIs can be used in the browser.

권장 값: camera=(), microphone=(), geolocation=(self)

없을 때 보안 위험: Unauthorized access to browser APIs

Permissions-Policy: camera=(), microphone=()

Access-Control-Allow-Origin

cors

Specifies which origins can access the resource.

권장 값: Specific origin or same-origin only — avoid wildcard (*) for authenticated resources

없을 때 보안 위험: Cross-origin data access

Access-Control-Allow-Origin: https://example.com

Access-Control-Allow-Methods

cors

Specifies the HTTP methods allowed for cross-origin requests.

권장 값: GET, POST, PUT, DELETE (only what is needed)

없을 때 보안 위험: Unauthorized HTTP methods via CORS

Access-Control-Allow-Methods: GET, POST

Cache-Control

cache

Controls how responses are cached by browsers and proxies.

권장 값: no-store, no-cache (for sensitive data); max-age=31536000 (for static assets)

없을 때 보안 위험: Sensitive data cached and exposed

Cache-Control: no-store, no-cache, must-revalidate

Cross-Origin-Resource-Policy

cors

Prevents other origins from reading the response of this resource.

권장 값: same-origin or same-site

없을 때 보안 위험: Cross-origin information leakage

Cross-Origin-Resource-Policy: same-origin

Cross-Origin-Opener-Policy

cors

Allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.

권장 값: same-origin

없을 때 보안 위험: Cross-origin attacks via shared browsing context

Cross-Origin-Opener-Policy: same-origin

X-XSS-Protection

csp

Legacy header — enables the browser's built-in XSS filter. Mostly superseded by CSP.

권장 값: 1; mode=block (legacy) or omit in favor of CSP

없을 때 보안 위험: XSS attacks in older browsers without CSP

X-XSS-Protection: 1; mode=block

헤더 검사기

HTTP 응답 헤더를 붙여넣어 검사하세요

자주 묻는 질문

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.