Back to Skills

security-headers-configuration

verified

Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.

View on GitHub

Marketplace

claude-skills

secondsky/claude-skills

Plugin

security-headers-configuration

security

Repository

secondsky/claude-skills
28stars

plugins/security-headers-configuration/skills/security-headers-configuration/SKILL.md

Last Verified

January 24, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/secondsky/claude-skills/blob/main/plugins/security-headers-configuration/skills/security-headers-configuration/SKILL.md -a claude-code --skill security-headers-configuration

Installation paths:

Claude
.claude/skills/security-headers-configuration/
Powered by add-skill CLI

Instructions

# Security Headers Configuration

Implement HTTP security headers to defend against common browser-based attacks.

## Essential Headers

| Header | Purpose | Value |
|--------|---------|-------|
| HSTS | Force HTTPS | `max-age=31536000; includeSubDomains` |
| CSP | Restrict resources | `default-src 'self'` |
| X-Frame-Options | Prevent clickjacking | `DENY` |
| X-Content-Type-Options | Prevent MIME sniffing | `nosniff` |

## Express Implementation

```javascript
const helmet = require('helmet');

app.use(helmet());

// Custom CSP
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "'unsafe-inline'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    imgSrc: ["'self'", "data:", "https:"],
    connectSrc: ["'self'", "https://api.example.com"],
    fontSrc: ["'self'", "https://fonts.gstatic.com"],
    frameAncestors: ["'none'"]
  }
}));
```

## Nginx Configuration

```nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
```

## Verification Tools

- [Security Headers](https://securityheaders.com/)
- [Mozilla Observatory](https://observatory.mozilla.org/)
- [CSP Evaluator](https://csp-evaluator.withgoogle.com/)

## Security Headers Checklist

- [ ] HSTS enabled with long max-age
- [ ] CSP configured and tested
- [ ] X-Frame-Options set to DENY
- [ ] X-Content-Type-Options set to nosniff
- [ ] Referrer-Policy configured
- [ ] Permissions-Policy disables unused features

## Additional Implementations

See [references/python-apache.md](references/python-apache.md) for:
- Python Flask security headers m

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
2227 chars