playbooks

home / skills / secondsky / claude-skills / security-headers-configuration

security-headers-configuration skill

/plugins/security-headers-configuration/skills/security-headers-configuration

This skill helps you apply HTTP security headers to harden web apps, guarding against XSS, clickjacking, and MIME sniffing.

npx playbooks add skill secondsky/claude-skills --skill security-headers-configuration

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
2.5 KB
---
name: security-headers-configuration
description: Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.
---

# Security Headers Configuration

Implement HTTP security headers to defend against common browser-based attacks.

## Essential Headers

| Header | Purpose | Value |
|--------|---------|-------|
| HSTS | Force HTTPS | `max-age=31536000; includeSubDomains` |
| CSP | Restrict resources | `default-src 'self'` |
| X-Frame-Options | Prevent clickjacking | `DENY` |
| X-Content-Type-Options | Prevent MIME sniffing | `nosniff` |

## Express Implementation

```javascript
const helmet = require('helmet');

app.use(helmet());

// Custom CSP
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "'unsafe-inline'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    imgSrc: ["'self'", "data:", "https:"],
    connectSrc: ["'self'", "https://api.example.com"],
    fontSrc: ["'self'", "https://fonts.gstatic.com"],
    frameAncestors: ["'none'"]
  }
}));
```

## Nginx Configuration

```nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
```

## Verification Tools

- [Security Headers](https://securityheaders.com/)
- [Mozilla Observatory](https://observatory.mozilla.org/)
- [CSP Evaluator](https://csp-evaluator.withgoogle.com/)

## Security Headers Checklist

- [ ] HSTS enabled with long max-age
- [ ] CSP configured and tested
- [ ] X-Frame-Options set to DENY
- [ ] X-Content-Type-Options set to nosniff
- [ ] Referrer-Policy configured
- [ ] Permissions-Policy disables unused features

## Additional Implementations

See [references/python-apache.md](references/python-apache.md) for:
- Python Flask security headers middleware
- Flask-Talisman library configuration
- Apache .htaccess configuration
- Header testing script

## Common Mistakes

- Setting CSP to report-only permanently
- Using overly permissive policies
- Forgetting to test after changes
- Not including all subdomains in HSTS

Overview

This skill configures HTTP security headers to harden web applications against XSS, clickjacking, and MIME sniffing. It provides production-ready header sets, examples for Express and Nginx, and verification guidance to help you pass security audits and implement a safe Content Security Policy.

How this skill works

The skill injects and validates common HTTP security headers such as HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. It includes middleware examples for Express (using Helmet), nginx directives, and a checklist plus links to external scanners for automated verification.

When to use it

  • When hardening a web app before production deployment
  • To satisfy requirements during security audits or penetration tests
  • When implementing or tightening a Content-Security-Policy
  • When setting global headers at the webserver or middleware level
  • When you need repeatable, reviewable header configurations

Best practices

  • Enable HSTS with long max-age and includeSubDomains, roll out preload only after testing
  • Start CSP in report-only mode during rollout, then enforce after testing
  • Avoid overly permissive directives (e.g., wildcard sources or broad 'unsafe-*' usage)
  • Test changes with automated scanners (Security Headers, Mozilla Observatory) and real-world traffic
  • Apply headers at the highest layer possible (reverse proxy/nginx) and mirror in app middleware if needed

Example use cases

  • Add Helmet-based middleware in an Express app to set HSTS, CSP, X-Frame-Options, and nosniff
  • Apply nginx add_header directives to enforce headers for static sites and upstream services
  • Use CSP to restrict script and style sources and limit data exfiltration vectors
  • Create an ops checklist to verify header presence after CI/CD deployments
  • Scope Permissions-Policy to disable unused browser features (camera, microphone, geolocation)

FAQ

What CSP should I start with?

Begin with a restrictive baseline such as default-src 'self' and add explicit trusted sources for scripts, styles, images, and connect endpoints. Use report-only to gather violations before enforcing.

Can I rely only on nginx headers?

Setting headers at the webserver is preferred, but mirror important headers in app middleware when responses bypass the server or when more granular control is required.

Is HSTS safe to enable immediately?

Enable HSTS with a conservative max-age initially and test subdomain coverage. Only use preload after thorough validation because preload entries are hard to remove.