HTTP Security Headers Audit
Scan any URL for missing or misconfigured security headers and get an actionable report with grades, fix recommendations, and info-leak detection.
Quick Start
CODEBLOCK0
Commands
CODEBLOCK1
What It Checks
Security headers (graded by severity):
- -
Strict-Transport-Security (HSTS) — HIGH - INLINECODE1� (CSP) — HIGH
- INLINECODE2� — MEDIUM
- INLINECODE3� — MEDIUM
- INLINECODE4� — MEDIUM
- INLINECODE5� — MEDIUM
- INLINECODE6� — LOW
- INLINECODE7� (COOP) — LOW
- INLINECODE8� (CORP) — LOW
- INLINECODE9� (COEP) — LOW
Info leak detection:
- -
Server header (software version disclosure) - INLINECODE11� (technology stack leak)
- INLINECODE12� (framework version leak)
Grading
| Grade | Score | Meaning |
|---|
| A | 90–100 | Excellent — all critical headers present |
| B |
75–89 | Good — minor gaps |
| C | 50–74 | Fair — important headers missing |
| D | 25–49 | Poor — significant exposure |
| F | 0–24 | Failing — most headers absent |
Dependencies
CODEBLOCK2
HTTP 安全标头审计
扫描任意 URL 中缺失或配置错误的安全标头,并生成包含评分、修复建议和信息泄露检测的可操作报告。
快速开始
bash
python3 scripts/sec_headers.py https://example.com
命令
bash
单 URL 审计
python3 scripts/sec_headers.py https://example.com
多 URL 审计
python3 scripts/sec_headers.py https://example.com https://google.com https://github.com
JSON 输出(用于程序化使用)
python3 scripts/sec_headers.py https://example.com --json
自定义超时时间
python3 scripts/sec_headers.py https://example.com --timeout 5
检测内容
安全标头(按严重程度分级):
- - Strict-Transport-Security (HSTS) — 高
- Content-Security-Policy (CSP) — 高
- X-Content-Type-Options — 中
- X-Frame-Options — 中
- Referrer-Policy — 中
- Permissions-Policy — 中
- X-XSS-Protection — 低
- Cross-Origin-Opener-Policy (COOP) — 低
- Cross-Origin-Resource-Policy (CORP) — 低
- Cross-Origin-Embedder-Policy (COEP) — 低
信息泄露检测:
- - Server 标头(软件版本泄露)
- X-Powered-By(技术栈泄露)
- X-AspNet-Version(框架版本泄露)
评分等级
| 等级 | 分数 | 含义 |
|---|
| A | 90–100 | 优秀 — 所有关键标头均存在 |
| B |
75–89 | 良好 — 存在少量缺失 |
| C | 50–74 | 一般 — 缺少重要标头 |
| D | 25–49 | 较差 — 存在显著暴露风险 |
| F | 0–24 | 不及格 — 大部分标头缺失 |
依赖项
bash
pip install requests
