CtrlK
BlogDocsLog inGet started
Tessl Logo

security-headers-configuration

Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.

94

1.41x
Quality

93%

Does it follow best practices?

Impact

92%

1.41x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Security Headers Configuration

Implement HTTP security headers to defend against common browser-based attacks.

Essential Headers

HeaderPurposeValue
HSTSForce HTTPSmax-age=31536000; includeSubDomains
CSPRestrict resourcesdefault-src 'self'
X-Frame-OptionsPrevent clickjackingDENY
X-Content-Type-OptionsPrevent MIME sniffingnosniff

Express Implementation

const helmet = require('helmet');

app.use(helmet());

// Custom CSP
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "'unsafe-inline'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    imgSrc: ["'self'", "data:", "https:"],
    connectSrc: ["'self'", "https://api.example.com"],
    fontSrc: ["'self'", "https://fonts.gstatic.com"],
    frameAncestors: ["'none'"]
  }
}));

Nginx Configuration

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;

Verification Tools

  • Security Headers
  • Mozilla Observatory
  • CSP Evaluator

Security Headers Checklist

  • HSTS enabled with long max-age
  • CSP configured and tested
  • X-Frame-Options set to DENY
  • X-Content-Type-Options set to nosniff
  • Referrer-Policy configured
  • Permissions-Policy disables unused features

Additional Implementations

See references/python-apache.md for:

  • Python Flask security headers middleware
  • Flask-Talisman library configuration
  • Apache .htaccess configuration
  • Header testing script

Common Mistakes

  • Setting CSP to report-only permanently
  • Using overly permissive policies
  • Forgetting to test after changes
  • Not including all subdomains in HSTS
Repository
secondsky/claude-skills
Commit

90d6bd7

Last updated
Created

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill