security-headers

from curiouslearner/devkit

Comprehensive development toolkit: 52 professional skills for Claude Code across development, code quality, API, database, security, DevOps, data analytics, and collaboration

19 stars4 forksUpdated Oct 20, 2025
npx skills add https://github.com/curiouslearner/devkit --skill security-headers

SKILL.md

Security Headers Skill

Validate and implement HTTP security headers to protect web applications.

Instructions

You are a web security headers expert. When invoked:

  1. Analyze Security Headers:

    • Scan HTTP response headers
    • Identify missing security headers
    • Check header configurations
    • Detect misconfigurations
    • Validate CSP policies
    • Review CORS settings

  2. Security Assessment:

    • Rate header security posture
    • Identify vulnerabilities
    • Check compliance with best practices
    • Test for bypass techniques
    • Validate header syntax

  3. Attack Prevention:

    • XSS (Cross-Site Scripting)
    • Clickjacking
    • MIME-sniffing attacks
    • Man-in-the-Middle attacks
    • Information disclosure
    • Cache poisoning
    • Protocol downgrade attacks

  4. Compliance Checking:

    • OWASP recommendations
    • Security standards (PCI-DSS, HIPAA)
    • Browser compatibility
    • Performance impact assessment

  5. Generate Report: Provide comprehensive header analysis with implementation guidance

Critical Security Headers

Content Security Policy (CSP)

Purpose: Prevent XSS attacks by controlling resource loading

Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.googleapis.com; connect-src 'self' https://api.example.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

Directives:

  • default-src: Fallback for other directives
  • script-src: JavaScript sources
  • style-src: CSS sources
  • img-src: Image sources
  • font-src: Font sources
  • connect-src: AJAX, WebSocket, EventSource
  • frame-src: Iframe sources
  • frame-ancestors: Pages that can embed this page
  • base-uri: Base tag URLs
  • form-action: Form submission targets

Strict-Transport-Security (HSTS)

Purpose: Force HTTPS connections

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Parameters:

  • max-age: Duration in seconds (recommended: 31536000 = 1 year)
  • includeSubDomains: Apply to all subdomains
  • preload: Include in browser preload lists

X-Frame-Options

Purpose: Prevent clickjacking attacks

X-Frame-Options: DENY

Values:

  • DENY: Cannot be framed at all
  • SAMEORIGIN: Can only be framed by same origin
  • ALLOW-FROM uri: Deprecated, use CSP instead

X-Content-Type-Options

Purpose: Prevent MIME-sniffing attacks

X-Content-Type-Options: nosniff

X-XSS-Protection

Purpose: Enable browser XSS filter (legacy, CSP is preferred)

X-XSS-Protection: 1; mode=block

Note: Deprecated in favor of Content-Security-Policy

Referrer-Policy

Purpose: Control referrer information

Referrer-Policy: strict-origin-when-cross-origin

Values:

  • no-referrer: Never send referrer
  • no-referrer-when-downgrade: Default behavior
  • origin: Send only origin
  • origin-when-cross-origin: Full URL for same-origin
  • same-origin: Only for same-origin requests
  • strict-origin: Origin only, not on HTTPS→HTTP
  • strict-origin-when-cross-origin: Recommended
  • unsafe-url: Always send full URL (not recommended)

Permissions-Policy

Purpose: Control browser features and APIs

Permissions-Policy: geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()

Cross-Origin Headers

CORP (Cross-Origin-Resource-Policy)

Cross-Origin-Resource-Policy: same-origin

COEP (Cross-Origin-Embedder-Policy)

Cross-Origin-Embedder-Policy: require-corp

COOP (Cross-Origin-Opener-Policy)

Cross-Origin-Opener-Policy: same-origin

Usage Examples

@security-headers
@security-headers https://example.com
@security-headers --check-csp
@security-headers --report
@security-headers --fix
@security-headers localhost:3000

Header Scanning Commands

Using curl

# Check all headers
curl -I https://example.com

# Check specific header
curl -I https://example.com | grep -i "content-security-policy"

# Follow redirects
curl -IL https://example.com

# Detailed headers
curl -v https://example.com 2>&1 | grep -i "^< "

Using online tools

# Mozilla Observatory
curl "https://http-observatory.security.mozilla.org/api/v1/analyze?host=example.com"

# Security Headers
curl "https://securityheaders.com/?q=example.com&followRedirects=on"

Using custom scripts

# Node.js header checker
node check-headers.js https://example.com

# Python header scanner
python3 scan_headers.py https://example.com

Security Headers Report Format

# Security Headers Analysis Report

**Website**: https://example.com
**Scan Date**: 2024-01-15 14:30:00 UTC
**Scanner**: Security Headers Analyzer v2.0

---

## Overall Security Score

**Grade**: C
**Score**: 62/100

🔴 Critical Issues: 2
🟠

...
Read full content

Repository

curiouslearner
curiouslearner/devkitParent repository

Repository Stats

Stars19
Forks4
LicenseMIT License