security-headers-configuration
Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.
94
93%
Does it follow best practices?
Impact
92%
1.41xAverage score across 3 eval scenarios
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that follows best practices. It uses third person voice, lists specific security threats addressed, and includes an explicit 'Use when...' clause with multiple relevant trigger scenarios. The technical terms used are appropriate for the target audience (developers) while remaining natural search terms.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Configures HTTP security headers' and explicitly names protection against 'XSS, clickjacking, and MIME sniffing attacks' plus 'implementing Content Security Policy'. | 3 / 3 |
Completeness | Clearly answers both what ('Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks') AND when ('Use when hardening web applications, passing security audits, or implementing Content Security Policy'). | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'security headers', 'XSS', 'clickjacking', 'security audits', 'Content Security Policy', 'hardening web applications' - these are terms developers naturally use when seeking this functionality. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused specifically on HTTP security headers with distinct triggers like 'XSS', 'clickjacking', 'MIME sniffing', 'Content Security Policy' - unlikely to conflict with general web development or other security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted skill that efficiently delivers actionable security header configurations for multiple platforms. The content is appropriately concise and provides executable examples. The main weakness is the lack of an explicit verification workflow—while tools are listed, there's no step-by-step process for testing and iterating on header configurations.
Suggestions
Add an explicit workflow section: 1. Implement headers → 2. Test with securityheaders.com → 3. Fix any issues → 4. Re-test until passing
Consider adding a brief troubleshooting note for common CSP errors that break functionality (e.g., inline scripts blocked)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every section is lean and purposeful. No explanation of what security headers are or why they matter—assumes Claude knows. The table format efficiently conveys header-value mappings. | 3 / 3 |
Actionability | Provides fully executable code for both Express (with helmet) and Nginx configurations. The examples are copy-paste ready with realistic directive values. | 3 / 3 |
Workflow Clarity | Includes a checklist and verification tools, but lacks explicit workflow sequencing. No clear 'implement → verify → fix' feedback loop for testing headers after deployment. | 2 / 3 |
Progressive Disclosure | Core content is concise in the main file with clear reference to additional implementations in a separate file. One-level-deep reference is well-signaled with specific content preview. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- secondsky/claude-skills
- Commit
90d6bd7
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.