- Home
- Skills
- Secondsky
- Claude Skills
- Security Headers Configuration
security-headers-configuration_skill
- TypeScript
52
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill secondsky/claude-skills --skill security-headers-configuration- SKILL.md2.5 KB
Overview
This skill configures HTTP security headers to harden web applications against XSS, clickjacking, and MIME sniffing. It provides production-ready header sets, examples for Express and Nginx, and verification guidance to help you pass security audits and implement a safe Content Security Policy.
How this skill works
The skill injects and validates common HTTP security headers such as HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options. It includes middleware examples for Express (using Helmet), nginx directives, and a checklist plus links to external scanners for automated verification.
When to use it
- When hardening a web app before production deployment
- To satisfy requirements during security audits or penetration tests
- When implementing or tightening a Content-Security-Policy
- When setting global headers at the webserver or middleware level
- When you need repeatable, reviewable header configurations
Best practices
- Enable HSTS with long max-age and includeSubDomains, roll out preload only after testing
- Start CSP in report-only mode during rollout, then enforce after testing
- Avoid overly permissive directives (e.g., wildcard sources or broad 'unsafe-*' usage)
- Test changes with automated scanners (Security Headers, Mozilla Observatory) and real-world traffic
- Apply headers at the highest layer possible (reverse proxy/nginx) and mirror in app middleware if needed
Example use cases
- Add Helmet-based middleware in an Express app to set HSTS, CSP, X-Frame-Options, and nosniff
- Apply nginx add_header directives to enforce headers for static sites and upstream services
- Use CSP to restrict script and style sources and limit data exfiltration vectors
- Create an ops checklist to verify header presence after CI/CD deployments
- Scope Permissions-Policy to disable unused browser features (camera, microphone, geolocation)
FAQ
Begin with a restrictive baseline such as default-src 'self' and add explicit trusted sources for scripts, styles, images, and connect endpoints. Use report-only to gather violations before enforcing.
Can I rely only on nginx headers?
Setting headers at the webserver is preferred, but mirror important headers in app middleware when responses bypass the server or when more granular control is required.
Is HSTS safe to enable immediately?
Enable HSTS with a conservative max-age initially and test subdomain coverage. Only use preload after thorough validation because preload entries are hard to remove.