OpenSkillIndex← back to search
claude-code

Claude-skills security-headers-configuration

Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.

install
source · Clone the upstream repo
git clone https://github.com/secondsky/claude-skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/secondsky/claude-skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/security-headers-configuration/skills/security-headers-configuration" ~/.claude/skills/secondsky-claude-skills-security-headers-configuration && rm -rf "$T"
manifest: plugins/security-headers-configuration/skills/security-headers-configuration/SKILL.md
source content

Security Headers Configuration

Implement HTTP security headers to defend against common browser-based attacks.

Essential Headers

HeaderPurposeValue
HSTSForce HTTPS
max-age=31536000; includeSubDomains
CSPRestrict resources
default-src 'self'
X-Frame-OptionsPrevent clickjacking
DENY
X-Content-Type-OptionsPrevent MIME sniffing
nosniff

Express Implementation

const helmet = require('helmet');

app.use(helmet());

// Custom CSP
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "'unsafe-inline'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    imgSrc: ["'self'", "data:", "https:"],
    connectSrc: ["'self'", "https://api.example.com"],
    fontSrc: ["'self'", "https://fonts.gstatic.com"],
    frameAncestors: ["'none'"]
  }
}));

Nginx Configuration

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;

Verification Tools

Security Headers Checklist

  • HSTS enabled with long max-age
  • CSP configured and tested
  • X-Frame-Options set to DENY
  • X-Content-Type-Options set to nosniff
  • Referrer-Policy configured
  • Permissions-Policy disables unused features

Additional Implementations

See references/python-apache.md for:

  • Python Flask security headers middleware
  • Flask-Talisman library configuration
  • Apache .htaccess configuration
  • Header testing script

Common Mistakes

  • Setting CSP to report-only permanently
  • Using overly permissive policies
  • Forgetting to test after changes
  • Not including all subdomains in HSTS