HTTP Header Checker La Gi?
HTTP Header Checker (cong cu kiem tra HTTP header) la cong cu gui yeu cau den bat ky URL nao va hien thi cac HTTP response headers ma may chu tra ve. No hien thi thong tin nhu loai noi dung (content type), quy tac cache, phan mem may chu va security headers nhu HSTS, CSP va X-Frame-Options.
Cong cu cua chung toi con cham diem bao mat tu A den F voi khuyen nghi cu the de cai thien bao mat website. Security headers la tuyen phong thu dau tien chong lai cac cuoc tan cong nhu XSS, clickjacking va MIME sniffing. Kiem tra headers thuong xuyen la dieu can thiet de dam bao trang web cua ban duoc bao ve va tuan thu cac tieu chuan bao mat web.
Cach Kiem Tra HTTP Header
Chi can ba buoc don gian de kiem tra HTTP header cua bat ky website nao:
Nhap dia chi URL cua trang web ban muon kiem tra vao o nhap lieu phia tren. Cong cu ho tro ca HTTP va HTTPS.
Nhan nut 'Check Headers'. Cong cu gui yeu cau HTTP den may chu va thu thap tat ca response headers tra ve, bao gom thong tin may chu, cache, bao mat va noi dung.
Xem tat ca headers duoc hien thi cung voi diem bao mat tong the (A-F). Moi security header duoc danh gia rieng voi khuyen nghi cai thien cu the. Cac header thieu se duoc danh dau de ban xu ly.
Cac Security Header Quan Trong
Day la nhung security headers quan trong nhat ma moi trang web nen cau hinh de bao ve nguoi dung va du lieu:
Buoc trinh duyet chi su dung HTTPS. Ngan chan tan cong SSL stripping va man-in-the-middle. Khuyen nghi: max-age=31536000; includeSubDomains; preload.
Kiem soat tai nguyen nao (script, style, hinh anh) duoc phep tai tren trang. Ngan chan tan cong XSS bang cach chan script trai phep.
Kiem soat viec trang web co the duoc tai trong iframe hay khong. DENY hoac SAMEORIGIN ngan chan tan cong clickjacking.
Ngan chan MIME sniffing voi gia tri 'nosniff'. Buoc trinh duyet ton trong Content-Type ma may chu khai bao.
Kiem soat thong tin referrer duoc gui trong cac yeu cau. 'strict-origin-when-cross-origin' la gia tri khuyen dung.
Han che cac API trinh duyet nhu camera, microphone va dinh vi. Gioi han cac tinh nang ma trang web khong can den.
Hieu Diem Bao Mat Header
He thong cham diem danh gia sau security header chinh voi trong so khac nhau. Day la y nghia cua tung muc diem:
Tuyet voi — tat ca cac security header chinh deu duoc cau hinh dung. Website co bao mat HTTP tot nhat.
Tot — bao mat tong the tot nhung co mot vai thieu sot nho can bo sung.
Trung binh — co bao mat co ban nhung can cai thien them de dat muc an toan.
Yeu — thieu nhieu security headers quan trong. Can hanh dong ngay de cai thien.
Nguy hiem — hau nhu khong co security headers. Website de bi tan cong XSS, clickjacking va cac moi de doa khac.
Cach Them Security Header
Security headers co the duoc them bang nhieu cach tuy thuoc vao may chu va nen tang cua ban:
Nginx
Them chi thi add_header trong server block cua nginx.conf. Vi du: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Apache
Su dung Header set trong .htaccess. Vi du: Header set X-Frame-Options "DENY". Dam bao module mod_headers duoc bat.
Cloudflare
Su dung Transform Rules de them response headers tuy chinh cho tat ca cac yeu cau. Cau hinh trong Cloudflare Dashboard muc Rules.
Next.js / Vercel
Cau hinh headers trong next.config.js hoac vercel.json voi cac quy tac route. Su dung mang headers() de dinh nghia tung header.
Cac Header HTTP Pho Bien
Ngoai security headers, HTTP response con chua nhieu headers quan trong khac cung cap thong tin ve may chu va noi dung:
Server & Content Headers
Server (phan mem may chu), Content-Type (loai noi dung), Content-Length (kich thuoc phan hoi), Content-Encoding (nen gzip/brotli), X-Powered-By (framework/ngon ngu).
Cache & Performance Headers
Cache-Control (quy tac cache), ETag (phien ban tai nguyen), Expires (ngay het han), Vary (cache theo dieu kien), Age (thoi gian trong CDN cache).
Cong Cu Mang & Bao Mat Lien Quan
Kham pha cac cong cu mien phi khac de kiem tra bao mat va phan tich website:
Kiem tra chung chi SSL, phien ban TLS va chuoi chung chi.
Xac dinh CMS, may chu web va CDN cua bat ky website nao.
Tim kiem ban ghi DNS cua bat ky ten mien nao.
Kiem tra tong the suc khoe DNS va bao mat cua ten mien.
Tim tat ca link noi bo va ben ngoai tren bat ky trang nao.
Theo doi chuoi redirect 301/302 cua bat ky URL nao.