HTTP头分析工具
检查任意URL的HTTP响应头。突出显示缺失的安全头。
如何使用本工具
- 1
Type a public hostname or URL (for example example.com or https://example.com) into the input box.
- 2
Press Analyze. The tool's server sends a GET request to that host over HTTPS, falling back to HTTP if needed.
- 3
Read the yellow 'Missing security headers' panel to see which of the nine tracked headers are absent.
- 4
Scroll the 'All headers' list to inspect every header the server actually returned, value by value.
什么是HTTP头分析工具?
HTTP响应头承载着关于每个响应的元数据:缓存规则、安全策略、内容类型和服务器标识。现代安全依赖于诸如Strict-Transport-Security(HSTS)、Content-Security-Policy(CSP)和X-Frame-Options之类的头。本工具会获取一个URL并显示其所有响应头,外加一份缺失的推荐安全头清单。
常见使用场景
Confirm a freshly deployed site is sending HSTS and a Content-Security-Policy before you announce launch.
Spot-check a competitor's or vendor's public domain to see how their security header posture compares to yours.
Verify that a CDN or reverse-proxy change (Cloudflare, Fastly, nginx) is actually adding the headers you configured at the edge.
Quickly read Cache-Control, ETag, and Content-Type on a production response when debugging a caching or MIME-type bug.
Check whether a redirect chain ends on HTTPS and what the final hop's headers look like, since the tool follows up to five redirects.
Hand a developer a concrete list of missing headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) to add to their server config.