FixVibe

// 表面 / 聚焦

HTTP Security Headers

Headers are free defense — most apps still ship without them.

概要

Security headers cost nothing to add and prevent entire classes of attacks — yet most production apps ship missing two or three of them. The bug isn't a bug, exactly; it's missing armor. The browser is willing to enforce a half-dozen protective behaviors for free, but only when the server explicitly asks. Skip the ask, lose the protection. The headers are well-understood, well-documented, supported across every modern browser, and configurable in a few lines of edge config — the persistence of the gap is purely operational. The compounding effect is what matters most: a missing CSP turns a found XSS into account takeover; a missing HSTS turns a hostile-WiFi connection into session hijack; a missing X-Frame-Options enables clickjacking-driven OAuth grants. Each header alone is small; together they're the difference between defense-in-depth and defense-of-one.

運作方式

Each response header instructs the browser to apply a specific defense. `Content-Security-Policy` restricts which sources scripts, styles, frames, and connects can come from — preventing XSS even when input sanitization fails. `Strict-Transport-Security` (HSTS) forces HTTPS for the configured duration, defeating downgrade attacks on hostile networks. `X-Frame-Options: DENY` (or CSP's `frame-ancestors 'none'`) blocks the page from being embedded in iframes, defeating clickjacking. `X-Content-Type-Options: nosniff` stops the browser from MIME-sniffing a response and treating it as a different content type than the server declared. `Referrer-Policy` limits how much URL info is sent in the `Referer` header on outbound links — protecting tokens that some apps embed in URLs. `Permissions-Policy` disables dangerous browser APIs (camera, geolocation, payment, USB) so an XSS can't suddenly get camera access.

變種

Content-Security-Policy

The most powerful and most fiddly. A strict CSP with `'strict-dynamic'` plus per-request nonces defeats most XSS even when input sanitization fails. Permissive CSPs (with `'unsafe-inline'` everywhere) provide little protection.

Strict-Transport-Security

Once set, browsers refuse plain-HTTP for the duration. Combined with the HSTS preload list, even the first connection is HTTPS. Be careful with long max-age and `includeSubDomains` — hard to roll back.

X-Frame-Options / frame-ancestors

Two ways to express 'don't let other sites embed me.' frame-ancestors is the modern (CSP-based) form; X-Frame-Options is the legacy header still respected by older clients.

Permissions-Policy

The newest of the family. Disables browser features (camera, mic, geolocation) by default for your origin so an XSS can't escalate into device access.

影響范圍

Missing headers rarely cause breaches in isolation — they remove cheap defense layers. A missing CSP means an XSS in your app, however found, escalates to full account takeover via cookie theft and on-page action hijacking. A missing HSTS means hostile-WiFi networks can downgrade users' connections and sniff sessions. A missing X-Frame-Options enables clickjacking — an attacker iframes your OAuth-grant page over a bait UI and tricks users into clicking 'authorize.' Each missing header is a removed safety net.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe checks this class with high-confidence, non-destructive signals and only reports actionable evidence. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Add the recommended headers via your edge layer — Next.js middleware (`headers()` in `next.config.js`), Vercel `headers` config, Cloudflare Worker, nginx `add_header`, or wherever your responses originate. Start with: `Content-Security-Policy: default-src 'self'; script-src 'self' 'strict-dynamic' 'nonce-{NONCE}'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'`. Add `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` and submit to the HSTS preload list once you're sure subdomains can support it. Set `X-Content-Type-Options: nosniff` and `Referrer-Policy: same-origin` (or `strict-origin-when-cross-origin` for mostly-public sites). Use Permissions-Policy to disable browser features your app doesn't use: `Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()`. Validate with securityheaders.com — A grade is achievable with afternoon work, A+ with a strict CSP. Re-check after every framework upgrade.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

HTTP 與表面
26
本類别中触發的测試
模塊
4
專属 http 與表面 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

HTTP Security Headers — 漏洞聚焦 | FixVibe · FixVibe