CtrlK
BlogDocsLog inGet started
Tessl Logo

analyzing-security-headers

This skill analyzes HTTP security headers of a given domain to identify potential vulnerabilities and misconfigurations. It provides a detailed report with a grade, score, and recommendations for improvement. Use this skill when the user asks to "analyze security headers", "check HTTP security", "scan for security vulnerabilities", or requests a "security audit" of a website. It will automatically activate when security-related keywords are used in conjunction with domain names or URLs.

Install with Tessl CLI

npx tessl i github:jeremylongshore/claude-code-plugins-plus-skills --skill analyzing-security-headers
What are skills?

88

1.16x

Quality

60%

Does it follow best practices?

Impact

94%

1.16x

Average score across 9 eval scenarios

Optimize this skill with Tessl

npx tessl skill review --optimize ./backups/skills-migration-20251108-070147/plugins/security/security-headers-analyzer/skills/security-headers-analyzer/SKILL.md
SKILL.md
Review
Evals

Evaluation results

94%

11%

Website Security Header Assessment

Structured security report with grade and score

Criteria
Without context
With context

Security grade present

100%

100%

Numeric score present

0%

100%

Missing headers identified

100%

100%

Misconfigured headers identified

100%

70%

Per-header recommendations

100%

100%

HSTS coverage

100%

100%

CSP coverage

100%

100%

Headers checked against best practices

37%

62%

Actionable recommendations

100%

100%

Report covers multiple header types

100%

100%

Without context: $0.2457 · 2m 45s · 12 turns · 14 in / 5,182 out tokens

With context: $0.4734 · 3m 40s · 26 turns · 428 in / 6,249 out tokens

98%

24%

Pre-Audit HTTP Security Review

HSTS and CSP prioritization in recommendations

Criteria
Without context
With context

HSTS prioritized

85%

100%

Downgrade attack explanation

33%

100%

CSP recommendation present

100%

100%

CSP strictness mentioned

100%

100%

XSS mitigation linked to CSP

100%

100%

Security grade present

62%

100%

Numeric score present

0%

100%

Actionable HSTS fix

100%

100%

Multiple headers assessed

100%

100%

Missing vs misconfigured distinction

16%

66%

Without context: $0.5927 · 3s · 2 turns · 4 in / 129 out tokens

With context: $0.5052 · 5m 37s · 26 turns · 58 in / 7,938 out tokens

100%

8%

Security Header Monitoring Program

Ongoing monitoring and integration recommendations

Criteria
Without context
With context

Regular scan recommendation

100%

100%

Integration with other tools

100%

100%

Security grade present

100%

100%

Numeric score present

0%

100%

Missing headers listed

100%

100%

Actionable immediate fixes

100%

100%

HSTS mentioned

100%

100%

CSP mentioned

100%

100%

Monitoring cadence specificity

100%

100%

Comprehensive header coverage

100%

100%

Regression detection guidance

100%

100%

Without context: $0.2021 · 2m 30s · 9 turns · 9 in / 4,865 out tokens

With context: $0.4884 · 4m 27s · 22 turns · 56 in / 8,538 out tokens

100%

Merger Security Posture Comparison

Comparative multi-domain security analysis

Criteria
Without context
With context

Grade for domain 1

100%

100%

Score for domain 1

100%

100%

Grade for domain 2

100%

100%

Score for domain 2

100%

100%

HSTS assessed per domain

100%

100%

CSP assessed per domain

100%

100%

Comparative verdict

100%

100%

Per-domain recommendations

100%

100%

HSTS downgrade attack

100%

100%

CSP XSS mitigation

100%

100%

Missing vs present distinction

100%

100%

Without context: $0.2396 · 3m 7s · 12 turns · 11 in / 4,960 out tokens

With context: $0.4769 · 4m 34s · 24 turns · 427 in / 6,562 out tokens

84%

11%

Web Server Security Header Hardening

Concrete server implementation examples

Criteria
Without context
With context

Security grade present

0%

100%

Numeric score present

0%

100%

HSTS directive example

100%

100%

HSTS listed first or as top priority

0%

0%

Downgrade attack prevention

50%

60%

CSP directive example

100%

100%

CSP strictness guidance

100%

80%

CSP linked to XSS

100%

100%

Multiple header directives

100%

100%

Actionable without further research

100%

100%

Missing vs misconfigured

100%

100%

Without context: $0.3186 · 2m 38s · 16 turns · 16 in / 5,454 out tokens

With context: $0.4995 · 5m 2s · 24 turns · 57 in / 7,355 out tokens

92%

8%

Third-Party Payment Provider Security Vetting

Vendor security assessment with integration guidance

Criteria
Without context
With context

Security grade present

66%

100%

Numeric score present

0%

100%

HSTS coverage

100%

100%

HSTS downgrade protection

100%

100%

CSP coverage

100%

100%

CSP XSS link

0%

0%

Ongoing monitoring plan

100%

100%

Monitoring frequency specified

100%

100%

Complementary tools mentioned

100%

100%

Missing vs misconfigured

100%

100%

Actionable recommendations

100%

100%

Multiple headers assessed

100%

100%

Without context: $0.2414 · 3m 33s · 11 turns · 12 in / 5,076 out tokens

With context: $0.4406 · 4m 1s · 18 turns · 17 in / 8,198 out tokens

88%

-8%

Fintech Platform Security Review Before Banking Partner Due Diligence

Fintech pre-launch security compliance report

Criteria
Without context
With context

Security grade present

100%

100%

Numeric score present

100%

100%

Missing headers identified

100%

100%

Misconfigured headers identified

100%

100%

Per-header recommendations

100%

100%

HSTS listed as top priority

100%

100%

HSTS downgrade attack explanation

100%

0%

HSTS directive example

100%

100%

CSP strict policy recommended

66%

100%

CSP linked to XSS

100%

100%

Multiple headers covered

100%

100%

Without context: $0.2557 · 3m 26s · 13 turns · 11 in / 5,942 out tokens

With context: $0.4806 · 5m 18s · 27 turns · 93 in / 7,761 out tokens

98%

18%

API Gateway Security Header Audit for Mobile App Backend

API endpoint security header analysis

Criteria
Without context
With context

Security grade present

100%

100%

Numeric score present

100%

100%

Missing vs present distinction

100%

100%

HSTS assessed

100%

100%

HSTS downgrade prevention

100%

100%

HSTS concrete directive

100%

100%

HSTS as top priority

100%

100%

CSP assessed

100%

100%

Strict CSP recommended

0%

80%

CSP XSS linkage

0%

100%

Actionable concrete recommendations

100%

100%

Multiple headers assessed

100%

100%

Without context: $0.2688 · 2m 50s · 11 turns · 11 in / 5,281 out tokens

With context: $0.5004 · 4m 31s · 23 turns · 24 in / 8,051 out tokens

100%

Comprehensive Security Assessment with Long-Term Monitoring Strategy

Vulnerability scanner integration and comprehensive security assessment

Criteria
Without context
With context

Security grade present

100%

100%

Numeric score present

100%

100%

Missing headers identified

100%

100%

Misconfigured headers identified

100%

100%

Regular scanning recommended

100%

100%

Scanning frequency specified

100%

100%

Regression detection guidance

100%

100%

Complementary security tools mentioned

100%

100%

Vulnerability scanner specifically mentioned

100%

100%

HSTS downgrade protection

100%

100%

CSP XSS mitigation

100%

100%

Actionable remediation steps

100%

100%

Without context: $0.4048 · 4m 16s · 12 turns · 12 in / 9,286 out tokens

With context: $0.5167 · 4m 52s · 23 turns · 56 in / 8,123 out tokens

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

Website Security Header AssessmentPre-Audit HTTP Security ReviewSecurity Header Monitoring ProgramMerger Security Posture ComparisonWeb Server Security Header HardeningThird-Party Payment Provider Security VettingFintech Platform Security Review Before Banking Partner Due DiligenceAPI Gateway Security Header Audit for Mobile App BackendComprehensive Security Assessment with Long-Term Monitoring Strategy

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill