ToolypetMCP
intermediate5 minutessecurity

Full Security Headers Audit

Complete security headers audit: check all headers, generate missing ones, and evaluate the overall security posture.

security-headersauditcspcorshardening

何时使用此配方

Quarterly security headers audit for compliance and vulnerability prevention. Covers OWASP recommended headers and ensures they work together cohesively.

步骤

1

Security Header Checker

试用此工具

Audit existing headers

提示词:Check all security headers: X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security, Referrer-Policy, Permissions-Policy
2

CSP Generator

试用此工具

Generate missing CSP

提示词:Generate a strict CSP based on the audit findings, plugging any gaps
3

CSP Evaluator

试用此工具

Grade the CSP

提示词:Evaluate the generated CSP for A+ grade — check for unsafe directives and missing defaults
4

CORS Generator

试用此工具

Align CORS with CSP

提示词:Generate restrictive CORS headers matching the CSP origins
5

SRI Hash Generator

试用此工具

Add integrity protection

提示词:Generate SRI hashes for all external scripts and stylesheets

常见问题

What security grade should I aim for?

A+ on securityheaders.com. Required headers: CSP, HSTS (with preload), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.

Can security headers break my site?

Yes, especially CSP. Deploy in report-only mode first. HSTS with preload is permanent — test thoroughly. X-Frame-Options: DENY blocks all iframes including your own embeds.

相关配方

Secure Password Workflow

Generate a strong password, verify its strength, and hash it for storage — a complete password security pipeline.

Web Security Header Audit

Audit your website's security headers, generate a CSP policy, evaluate it, and configure CORS.

JWT Authentication Setup

Set up JWT-based authentication: generate tokens, create signing keys, and implement TOTP for 2FA.

API Security Hardening

Harden your API with HMAC request signing, secure secrets, and SRI for client-side integrity.

返回所有配方