security-headers-configuration
Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.
95
93%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that clearly communicates specific capabilities, includes natural trigger terms developers would use, and explicitly states both what the skill does and when to use it. It uses proper third-person voice and occupies a well-defined niche that minimizes conflict risk with other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: configuring HTTP security headers, protecting against XSS, clickjacking, and MIME sniffing attacks, and implementing Content Security Policy. These are concrete, well-defined capabilities. | 3 / 3 |
Completeness | Clearly answers both 'what' (configures HTTP security headers to protect against specific attacks) and 'when' (explicitly states 'Use when hardening web applications, passing security audits, or implementing Content Security Policy'). | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'security headers', 'XSS', 'clickjacking', 'MIME sniffing', 'security audits', 'Content Security Policy', 'hardening web applications'. These cover the main terms a developer would use when seeking this skill. | 3 / 3 |
Distinctiveness Conflict Risk | Highly distinctive with a clear niche around HTTP security headers specifically. The trigger terms (XSS, clickjacking, MIME sniffing, Content Security Policy, security headers) are specific enough to avoid conflicts with general web development or broader security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
87%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-crafted skill that efficiently covers security headers configuration across multiple platforms with executable examples. Its main weakness is the lack of an explicit verification workflow—the tools are listed but not integrated into a step-by-step process with feedback loops. The content structure and conciseness are strong, making it immediately useful.
Suggestions
Integrate verification tools into an explicit workflow: e.g., '1. Apply headers → 2. Deploy → 3. Verify with securityheaders.com → 4. If score < A: review missing headers and fix → 5. Re-verify'
Add a concrete curl command or script snippet for quick local header verification (e.g., `curl -I https://example.com | grep -i 'strict-transport\|content-security\|x-frame'`)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and efficient. It uses a table for quick reference, provides concrete configurations without explaining what XSS or clickjacking are, and assumes Claude understands web security concepts. Every section earns its place. | 3 / 3 |
Actionability | Provides fully executable, copy-paste ready code for both Express (with helmet) and Nginx configurations. The CSP directives example is detailed and realistic with specific sources. The checklist and verification tools add practical value. | 3 / 3 |
Workflow Clarity | The content presents headers and implementations clearly but lacks an explicit workflow sequence. There's no validation step integrated into the process (e.g., 'apply headers, then verify with securityheaders.com, fix issues, re-verify'). The verification tools are listed separately without being woven into a feedback loop, which is important for security hardening operations. | 2 / 3 |
Progressive Disclosure | Content is well-structured with a clear overview table, platform-specific implementations inline (appropriately sized), and a single-level reference to python-apache.md for additional implementations. Navigation is clear and the split between inline and referenced content is appropriate. | 3 / 3 |
Total | 11 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- secondsky/claude-skills
- Commit
88da5ff
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.