analyzing-security-headers

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Analyzing Security Headers

安全头分析

Overview

概述

Evaluate HTTP response headers for web applications against OWASP Secure Headers Project recommendations and browser security baselines. Identify missing, misconfigured, or information-leaking headers across both HTTP and HTTPS responses.

对照OWASP安全头项目建议和浏览器安全基线评估Web应用的HTTP响应头，识别HTTP和HTTPS响应中缺失、配置错误或存在信息泄露的响应头。

Prerequisites

前置条件

Target URL or domain name accessible over the network
Authorization to perform HTTP requests against the target domain
Network connectivity for both HTTP and HTTPS protocols
Optional: write access to
```
${CLAUDE_SKILL_DIR}/security-reports/
```
for persisting results

网络可访问的目标URL或域名
有权限向目标域名发起HTTP请求
支持HTTP和HTTPS协议的网络连接
可选：拥有
```
${CLAUDE_SKILL_DIR}/security-reports/
```
的写入权限，用于持久化存储分析结果

Instructions

使用说明

Accept the target domain. If only a domain name is provided, default to
```
https://
```
. For batch analysis, accept a newline-separated list.
Fetch response headers using
```
WebFetch
```
for both HTTP and HTTPS endpoints. Record the full redirect chain and final destination URL.
Evaluate critical headers -- flag any that are missing or misconfigured:
- ```
Strict-Transport-Security
```
  : require
```
max-age>=31536000
```
  ,
```
includeSubDomains
```
  , and preload eligibility
- ```
Content-Security-Policy
```
  : check for
```
unsafe-inline
```
  ,
```
unsafe-eval
```
  , overly broad
```
default-src
```
  , and missing
```
frame-ancestors
```
- ```
X-Frame-Options
```
  : require
```
DENY
```
  or
```
SAMEORIGIN
```
- ```
X-Content-Type-Options
```
  : require
```
nosniff
```
- ```
Permissions-Policy
```
  : verify camera, microphone, geolocation restrictions

Evaluate important headers -- report status and recommendations:

Referrer-Policy

: recommend

strict-origin-when-cross-origin

no-referrer

Cross-Origin-Embedder-Policy

(COEP),

Cross-Origin-Opener-Policy

(COOP),

Cross-Origin-Resource-Policy

(CORP)

Check for information disclosure -- flag
```
Server
```
,
```
X-Powered-By
```
,
```
X-AspNet-Version
```
, and any header revealing technology stack or version numbers.
Inspect cookie attributes on
```
Set-Cookie
```
headers: verify
```
Secure
```
,
```
HttpOnly
```
,
```
SameSite=Lax|Strict
```
, and
```
__Host-
```
/
```
__Secure-
```
prefix usage.
Calculate a security grade: A+ (95-100), A (85-94), B (75-84), C (65-74), D (50-64), F (<50) based on weighted presence and correctness of each header.
Generate per-header remediation directives with configuration examples for Nginx, Apache, and Cloudflare.

See

${CLAUDE_SKILL_DIR}/references/implementation.md

for the five-phase implementation workflow.

接收目标域名。如果仅提供域名，默认使用
```
https://
```
协议。批量分析时支持接收换行分隔的域名列表。
使用
```
WebFetch
```
获取HTTP和HTTPS端点的响应头，记录完整的重定向链和最终目标URL。
评估关键响应头——标记所有缺失或配置错误的项：
- ```
Strict-Transport-Security
```
  ：要求
```
max-age>=31536000
```
  、配置
```
includeSubDomains
```
  且符合预加载条件
- ```
Content-Security-Policy
```
  ：检查是否存在
```
unsafe-inline
```
  、
```
unsafe-eval
```
  、过宽的
```
default-src
```
  配置，以及是否缺失
```
frame-ancestors
```
- ```
X-Frame-Options
```
  ：要求配置为
```
DENY
```
  或
```
SAMEORIGIN
```
- ```
X-Content-Type-Options
```
  ：要求配置为
```
nosniff
```
- ```
Permissions-Policy
```
  ：验证摄像头、麦克风、地理位置权限的限制配置

评估重要响应头——报告状态并给出建议：

Referrer-Policy

：建议配置为

strict-origin-when-cross-origin

或

no-referrer

Cross-Origin-Embedder-Policy

(COEP)、

Cross-Origin-Opener-Policy

(COOP)、

Cross-Origin-Resource-Policy

(CORP)

检查信息泄露风险——标记
```
Server
```
、
```
X-Powered-By
```
、
```
X-AspNet-Version
```
以及所有会泄露技术栈或版本号的响应头
检查
```
Set-Cookie
```
头的Cookie属性：验证
```
Secure
```
、
```
HttpOnly
```
、
```
SameSite=Lax|Strict
```
配置，以及
```
__Host-
```
/
```
__Secure-
```
前缀的使用情况
计算安全评分：根据每个响应头的权重、是否存在及配置正确性，给出评分等级：A+ (95-100)、A (85-94)、B (75-84)、C (65-74)、D (50-64)、F (<50)
生成每个响应头的修复指南，附带Nginx、Apache和Cloudflare的配置示例

查看

${CLAUDE_SKILL_DIR}/references/implementation.md

了解五阶段实现工作流。

Output

输出内容

Headers Analysis Report: overall grade, per-header status (present/missing/misconfigured), and risk impact
Remediation Checklist: prioritized fixes with server configuration snippets
Cookie Security Assessment: attribute compliance for each
```
Set-Cookie
```
header
Comparison Table: side-by-side HTTP vs. HTTPS header differences

响应头分析报告：整体安全等级、每个响应头的状态（存在/缺失/配置错误）以及风险影响
修复检查清单：按优先级排序的修复方案，附带服务端配置片段
Cookie安全评估：每个
```
Set-Cookie
```
头的属性合规情况
对比表：HTTP与HTTPS响应头的差异对比

Error Handling

错误处理

Error	Cause	Solution
Failed to connect to domain	DNS resolution failure, firewall block, or domain down	Verify domain spelling and DNS records; test alternate protocols
SSL certificate verification failed	Expired, self-signed, or mismatched certificate	Note TLS issue in report; indicates HSTS not properly enforced
Too many redirects	Redirect loop between HTTP and HTTPS	Report the redirect chain and analyze headers at each hop
HTTP 429 Too Many Requests	Rate limiting by target server	Implement backoff; queue domain for delayed re-analysis
Headers differ between HTTP and HTTPS	Inconsistent server configuration	Report both sets; highlight critical differences and flag HSTS gap

错误	原因	解决方案
无法连接到域名	DNS解析失败、防火墙拦截或域名宕机	验证域名拼写和DNS记录；测试备用协议
SSL证书验证失败	证书过期、自签名证书或证书不匹配	在报告中注明TLS问题；说明HSTS未正确生效
重定向次数过多	HTTP与HTTPS之间存在重定向循环	报告重定向链并分析每个跳转节点的响应头
HTTP 429 请求过多	目标服务端触发限流	实现退避策略；将域名加入队列延迟重分析
HTTP与HTTPS响应头不一致	服务端配置不一致	同时上报两组响应头；突出关键差异并标记HSTS配置漏洞

Examples

使用示例

"Analyze security headers for
```
https://claudecodeplugins.io
```
and explain any CSP or HSTS issues."
"Check headers for
```
example.com
```
on both HTTP and HTTPS and provide an Nginx remediation config."
"Batch-analyze headers for five staging domains and rank them by security grade."

“分析
```
https://claudecodeplugins.io
```
的安全头并说明所有CSP或HSTS问题”
“检查
```
example.com
```
的HTTP和HTTPS响应头，并提供Nginx修复配置”
“批量分析5个预发布环境域名的响应头，并按安全等级排序”

Resources

参考资源

OWASP Secure Headers Project: https://owasp.org/www-project-secure-headers/
MDN Security Headers Guide: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security
Security Headers Scanner: https://securityheaders.com/
Content Security Policy Reference: https://content-security-policy.com/
HSTS Preload Submission: https://hstspreload.org/

${CLAUDE_SKILL_DIR}/references/errors.md

-- full error handling reference

${CLAUDE_SKILL_DIR}/references/examples.md

-- additional usage examples

https://intentsolutions.io

OWASP安全头项目：https://owasp.org/www-project-secure-headers/
MDN安全头指南：https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security
安全头扫描工具：https://securityheaders.com/
内容安全政策参考：https://content-security-policy.com/
HSTS预加载提交页面：https://hstspreload.org/

${CLAUDE_SKILL_DIR}/references/errors.md

——完整错误处理参考

${CLAUDE_SKILL_DIR}/references/examples.md

——更多使用示例

https://intentsolutions.io