ReddRadar
Agent skill
security-headers-configuration
Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.
Install this agent skill to your Project
npx add-skill https://github.com/secondsky/claude-skills/tree/main/plugins/security-headers-configuration/skills/security-headers-configuration
SKILL.md
Security Headers Configuration
Implement HTTP security headers to defend against common browser-based attacks.
Essential Headers
| Header | Purpose | Value |
|---|---|---|
| HSTS | Force HTTPS | max-age=31536000; includeSubDomains |
| CSP | Restrict resources | default-src 'self' |
| X-Frame-Options | Prevent clickjacking | DENY |
| X-Content-Type-Options | Prevent MIME sniffing | nosniff |
Express Implementation
const helmet = require('helmet');
app.use(helmet());
// Custom CSP
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.example.com"],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
frameAncestors: ["'none'"]
}
}));
Nginx Configuration
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
Verification Tools
Security Headers Checklist
- HSTS enabled with long max-age
- CSP configured and tested
- X-Frame-Options set to DENY
- X-Content-Type-Options set to nosniff
- Referrer-Policy configured
- Permissions-Policy disables unused features
Additional Implementations
See references/python-apache.md for:
- Python Flask security headers middleware
- Flask-Talisman library configuration
- Apache .htaccess configuration
- Header testing script
Common Mistakes
- Setting CSP to report-only permanently
- Using overly permissive policies
- Forgetting to test after changes
- Not including all subdomains in HSTS
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
secondsky/claude-skills
skill-name
[TODO: Write comprehensive description in third-person. Start with "This skill provides..." or "This skill should be used when..."] [TODO: Add "Use when" scenarios - specific situations where Claude should use this skill] [TODO: Add keywords - technologies, use cases, error messages that should trigger this skill]
secondsky/claude-skills
websocket-implementation
Implements real-time WebSocket communication with connection management, room-based messaging, and horizontal scaling. Use when building chat systems, live notifications, collaborative tools, or real-time dashboards.
secondsky/claude-skills
ai-sdk-ui
secondsky/claude-skills
bun-nextjs
This skill should be used when the user asks about "Next.js with Bun", "Bun and Next", "running Next.js on Bun", "Next.js development with Bun", "create-next-app with Bun", or building Next.js applications using Bun as the runtime.
secondsky/claude-skills
bun-sqlite
Use for bun:sqlite, SQLite operations, prepared statements, transactions, and queries.
secondsky/claude-skills
bun-sveltekit
Use when building or running SvelteKit apps on Bun, including SSR, adapters, and Bun-specific APIs
Didn't find tool you were looking for?