HTTP Header Analyzer
Check HTTP security headers and TLS configuration. Find missing protections and misconfigurations.
Quick Start
CODEBLOCK0
Headers Checked
| Header | Purpose | Risk if Missing |
|---|
| INLINECODE0 | Forces HTTPS | Medium |
| INLINECODE1 |
XSS protection | Medium-High |
|
X-Frame-Options | Clickjacking protection | Medium |
|
X-Content-Type-Options | MIME sniffing protection | Low |
|
X-XSS-Protection | XSS filter (legacy) | Low |
|
Referrer-Policy | Controls referrer leakage | Low |
|
Permissions-Policy | Feature restrictions | Low |
|
Cross-Origin-Opener-Policy | Cross-origin isolation | Low |
|
Cross-Origin-Embedder-Policy | Cross-origin isolation | Low |
|
Cross-Origin-Resource-Policy | Cross-origin protection | Low |
Options
- -
URL — Target URL(s) to analyze - INLINECODE11� — File with URLs (one per line)
- INLINECODE12� — JSON output
- INLINECODE13� — Follow redirects (default: yes)
- INLINECODE14� — Request timeout (default: 10)
- INLINECODE15� — Custom User-Agent
- INLINECODE16� — Also check TLS certificate info
- INLINECODE17� — Minimum severity to report:
low, medium, �INLINECODE20
Output
CODEBLOCK1
HTTP 标头分析器
检查 HTTP 安全标头和 TLS 配置。发现缺失的保护措施和错误配置。
快速开始
bash
分析单个 URL
python3 {baseDir}/scripts/analyze-headers.py https://example.com
检查多个目标
python3 {baseDir}/scripts/analyze-headers.py -f urls.txt
JSON 输出
python3 {baseDir}/scripts/analyze-headers.py https://example.com --json
检查的标头
| 标头 | 用途 | 缺失风险 |
|---|
| Strict-Transport-Security | 强制使用 HTTPS | 中等 |
| Content-Security-Policy |
XSS 防护 | 中高 |
| X-Frame-Options | 点击劫持防护 | 中等 |
| X-Content-Type-Options | MIME 嗅探防护 | 低 |
| X-XSS-Protection | XSS 过滤器(旧版) | 低 |
| Referrer-Policy | 控制引用来源泄露 | 低 |
| Permissions-Policy | 功能限制 | 低 |
| Cross-Origin-Opener-Policy | 跨源隔离 | 低 |
| Cross-Origin-Embedder-Policy | 跨源隔离 | 低 |
| Cross-Origin-Resource-Policy | 跨源保护 | 低 |
选项
- - URL — 要分析的目标 URL
- -f FILE — 包含 URL 的文件(每行一个)
- --json — JSON 输出
- --follow — 跟随重定向(默认:是)
- --timeout SECS — 请求超时时间(默认:10)
- --user-agent UA — 自定义用户代理
- --check-tls — 同时检查 TLS 证书信息
- --severity LEVEL — 报告的最低严重级别:low、medium、high
输出
=== https://example.com ===
✅ Strict-Transport-Security: max-age=31536000; includeSubDomains
✅ Content-Security-Policy: default-src self
❌ X-Frame-Options: 缺失(存在点击劫持风险)
✅ X-Content-Type-Options: nosniff
❌ Referrer-Policy: 缺失
⚠️ 服务器: nginx/1.18.0(版本已暴露)
评分:3/6 个安全标头存在
风险:中等
