CtrlK
BlogDocsLog inGet started
Tessl Logo

security-headers-configuration

Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.

94

1.41x
Quality

93%

Does it follow best practices?

Impact

92%

1.41x

Average score across 3 eval scenarios

SecuritybySnyk

Passed

No known issues

SKILL.md
Quality
Evals
Security

Evaluation results

96%

22%

Hardening an Express.js API Before Security Audit

Express.js helmet security headers

Criteria
Without context
With context

Helmet package used

100%

100%

Helmet added as middleware

100%

100%

helmet in package.json

100%

100%

CSP default-src 'self'

100%

100%

frameAncestors none

0%

100%

X-Frame-Options DENY

0%

50%

X-Content-Type-Options nosniff

100%

100%

HSTS includeSubDomains

100%

100%

CSP enforcement mode

100%

100%

Non-permissive CSP policy

100%

100%

img-src allows data and https

0%

100%

82%

28%

Flask Application Security Compliance Review

Flask-Talisman nonce-based CSP

Criteria
Without context
With context

Flask-Talisman used

0%

100%

flask-talisman in requirements

0%

100%

No unsafe-inline in style-src

100%

100%

Nonce-based style approach

100%

100%

report_only disabled

0%

100%

HSTS max-age 31536000

100%

100%

HSTS includeSubDomains

100%

100%

HSTS preload

0%

100%

frame_options DENY

100%

100%

frame-ancestors none in CSP

100%

0%

base-uri self in CSP

0%

0%

form-action self in CSP

0%

0%

100%

32%

Nginx Security Header Hardening for Static Site

Nginx security header directives

Criteria
Without context
With context

HSTS header present

100%

100%

HSTS max-age 31536000

100%

100%

HSTS includeSubDomains

100%

100%

HSTS preload

0%

100%

X-Frame-Options DENY

0%

100%

X-Content-Type-Options nosniff

100%

100%

X-XSS-Protection 1 mode=block

100%

100%

Referrer-Policy set

0%

100%

Permissions-Policy present

100%

100%

always keyword used

100%

100%

CSP present

0%

100%

No wildcard CSP

100%

100%

Repository
secondsky/claude-skills
Commit

90d6bd7

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

Hardening an Express.js API Before Security AuditFlask Application Security Compliance ReviewNginx Security Header Hardening for Static Site

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.

Claim skill