Sicherheitsheader-Analyzer
Analysieren Sie HTTP-Sicherheitsheader auf fehlende HSTS, CSP und Permissions-Policy
Analyzing HTTP Security Headers
HTTP security headers are the first line of defense against common web attacks — cross-site scripting (XSS), clickjacking, MIME-type confusion, and man-in-the-middle attacks. Properly configured headers instruct browsers to enforce security policies that prevent entire classes of vulnerabilities without requiring changes to application code. Missing headers leave your application exposed to attacks that modern browsers can otherwise block automatically.
The Security Headers Analyzer evaluates your HTTP response headers against industry best practices, checking for Strict-Transport-Security (HSTS), Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each missing or misconfigured header receives a severity rating and specific configuration recommendations. All analysis happens locally in your browser.
Essential Security Headers
These headers should be present on every production web application:
-
Strict-Transport-Security (HSTS): Forces browsers to use HTTPS for all future
requests, preventing SSL stripping attacks. Recommended:
max-age=31536000; includeSubDomains; preload - Content-Security-Policy (CSP): Controls which resources the browser is allowed to load, preventing XSS and data injection attacks.
-
X-Content-Type-Options: Prevents MIME-type sniffing. Always set to
nosniff. -
X-Frame-Options: Prevents clickjacking by controlling iframe embedding.
Set to
DENYorSAMEORIGIN. -
Referrer-Policy: Controls how much referrer information is sent with requests.
Recommended:
strict-origin-when-cross-origin. - Permissions-Policy: Disables browser features your site does not use (camera, microphone, geolocation) to reduce attack surface.
Common Misconfigurations
The analyzer detects headers that are present but incorrectly configured:
- Short HSTS max-age: Values under 6 months provide insufficient protection. Browsers forget the policy too quickly, allowing downgrade attacks between visits.
- CSP with unsafe-inline: Allowing inline scripts defeats most of CSP's XSS protection. Use nonces or hashes instead.
-
Permissive CSP sources: Wildcards (
*) or overly broad domains allow attackers to load malicious resources from any CDN or subdomain. - Missing HSTS includeSubDomains: Subdomains remain vulnerable to SSL stripping even when the main domain has HSTS.
-
Deprecated headers:
X-XSS-Protectionis deprecated in modern browsers and can actually introduce vulnerabilities in some edge cases.
Security Scoring and Prioritization
The analyzer assigns a security score based on header presence and configuration quality, helping teams prioritize which headers to implement first:
- Critical (immediate fix): Missing HSTS on sites handling authentication or payments
- High (fix this sprint): Missing CSP, missing X-Content-Type-Options
- Medium (plan for next quarter): Missing Permissions-Policy, weak Referrer-Policy
- Low (nice to have): Missing optional headers like Cross-Origin-Embedder-Policy
Implementing headers incrementally is recommended — start with X-Content-Type-Options (risk-free), add HSTS with a short max-age (reversible), then build CSP in report-only mode before enforcing. This approach prevents breaking your application while progressively hardening security. Each header addition should be tested in staging before production deployment to confirm no legitimate functionality is blocked by the new policy. The analyzer re-evaluates your score after each header is added, showing measurable security improvement over time.
Code Examples
Recommended Security Headers Configuration (Nginx)
# Nginx server block — security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Remove server version disclosure
server_tokens off;