security-headers-configuration
Imported from https://github.com/secondsky/claude-skills.
Packaged view
This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.
Install command
npx @skill-hub/cli install secondsky-claude-skills-security-headers-configuration
Repository
Skill path: plugins/security-headers-configuration/skills/security-headers-configuration
Imported from https://github.com/secondsky/claude-skills.
Open repositoryBest for
Primary workflow: Run DevOps.
Technical facets: Full Stack, Security.
Target audience: everyone.
License: Unknown.
Original source
Catalog source: SkillHub Club.
Repository owner: secondsky.
This is still a mirrored public skill entry. Review the repository before installing into production workflows.
What it helps with
- Install security-headers-configuration into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
- Review https://github.com/secondsky/claude-skills before adding security-headers-configuration to shared team environments
- Use security-headers-configuration for development workflows
Works across
Favorites: 0.
Sub-skills: 0.
Aggregator: No.
Original source / Raw SKILL.md
---
name: security-headers-configuration
description: Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.
---
# Security Headers Configuration
Implement HTTP security headers to defend against common browser-based attacks.
## Essential Headers
| Header | Purpose | Value |
|--------|---------|-------|
| HSTS | Force HTTPS | `max-age=31536000; includeSubDomains` |
| CSP | Restrict resources | `default-src 'self'` |
| X-Frame-Options | Prevent clickjacking | `DENY` |
| X-Content-Type-Options | Prevent MIME sniffing | `nosniff` |
## Express Implementation
```javascript
const helmet = require('helmet');
app.use(helmet());
// Custom CSP
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.example.com"],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
frameAncestors: ["'none'"]
}
}));
```
## Nginx Configuration
```nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
```
## Verification Tools
- [Security Headers](https://securityheaders.com/)
- [Mozilla Observatory](https://observatory.mozilla.org/)
- [CSP Evaluator](https://csp-evaluator.withgoogle.com/)
## Security Headers Checklist
- [ ] HSTS enabled with long max-age
- [ ] CSP configured and tested
- [ ] X-Frame-Options set to DENY
- [ ] X-Content-Type-Options set to nosniff
- [ ] Referrer-Policy configured
- [ ] Permissions-Policy disables unused features
## Additional Implementations
See [references/python-apache.md](references/python-apache.md) for:
- Python Flask security headers middleware
- Flask-Talisman library configuration
- Apache .htaccess configuration
- Header testing script
## Common Mistakes
- Setting CSP to report-only permanently
- Using overly permissive policies
- Forgetting to test after changes
- Not including all subdomains in HSTS