HTTP 安全标头参考
HTTP 安全标头参考和检查器 — CSP、HSTS、X-Frame-Options、CORS 等。
Content-Security-Policy
cspPrevents XSS attacks by controlling which resources the browser is allowed to load.
推荐值: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;
无此标题头的安全风险: Cross-site scripting (XSS) attacks
Content-Security-Policy: default-src 'self'
Strict-Transport-Security
transportForces HTTPS connections and prevents SSL stripping attacks.
推荐值: max-age=31536000; includeSubDomains; preload
无此标题头的安全风险: Man-in-the-middle attacks, SSL stripping
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Frame-Options
clickjackingPrevents the page from being displayed in a frame/iframe to protect against clickjacking.
推荐值: DENY or SAMEORIGIN
无此标题头的安全风险: Clickjacking attacks
X-Frame-Options: DENY
X-Content-Type-Options
cspPrevents MIME type sniffing which can lead to security vulnerabilities.
推荐值: nosniff
无此标题头的安全风险: MIME confusion attacks
X-Content-Type-Options: nosniff
Referrer-Policy
cspControls how much referrer information is included in requests.
推荐值: strict-origin-when-cross-origin
无此标题头的安全风险: Information leakage via Referer header
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy
cspControls which browser features and APIs can be used in the browser.
推荐值: camera=(), microphone=(), geolocation=(self)
无此标题头的安全风险: Unauthorized access to browser APIs
Permissions-Policy: camera=(), microphone=()
Access-Control-Allow-Origin
corsSpecifies which origins can access the resource.
推荐值: Specific origin or same-origin only — avoid wildcard (*) for authenticated resources
无此标题头的安全风险: Cross-origin data access
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods
corsSpecifies the HTTP methods allowed for cross-origin requests.
推荐值: GET, POST, PUT, DELETE (only what is needed)
无此标题头的安全风险: Unauthorized HTTP methods via CORS
Access-Control-Allow-Methods: GET, POST
Cache-Control
cacheControls how responses are cached by browsers and proxies.
推荐值: no-store, no-cache (for sensitive data); max-age=31536000 (for static assets)
无此标题头的安全风险: Sensitive data cached and exposed
Cache-Control: no-store, no-cache, must-revalidate
Cross-Origin-Resource-Policy
corsPrevents other origins from reading the response of this resource.
推荐值: same-origin or same-site
无此标题头的安全风险: Cross-origin information leakage
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Opener-Policy
corsAllows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
推荐值: same-origin
无此标题头的安全风险: Cross-origin attacks via shared browsing context
Cross-Origin-Opener-Policy: same-origin
X-XSS-Protection
cspLegacy header — enables the browser's built-in XSS filter. Mostly superseded by CSP.
推荐值: 1; mode=block (legacy) or omit in favor of CSP
无此标题头的安全风险: XSS attacks in older browsers without CSP
X-XSS-Protection: 1; mode=block
标题头检查器
粘贴您的HTTP响应标题头进行检查
关于此工具
HTTP安全头是特殊的响应头,告诉网络浏览器如何防护常见的网络漏洞。与控制缓存或内容传递的一般HTTP头不同,安全头通过防止跨站脚本(XSS)、点击劫持、MIME类型滥用和跨源数据盗取等攻击,在你的网络应用程序周围建立防御边界。
这个工具提供了所有主要安全头的全面参考,以及一个交互式检查器来分析你网站的当前安全态势。粘贴你的HTTP响应头或输入一个域名,你会立即看到哪些安全头存在、哪些缺失,以及你的配置相对于行业最佳实践的评级。
网络开发者、DevOps工程师和安全团队使用这个参考资料在不改动代码的情况下加强其部署。大多数安全头纯粹通过服务器设置、反向代理规则或应用框架插件来配置——使其成为改善你的网站对现代威胁的抗性的最快速胜利之一。
常见问题
Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.