security-headers-configuration
tessl i github:secondsky/claude-skills --skill security-headers-configurationConfigures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.
Validation
75%| Criteria | Description | Result |
|---|---|---|
metadata_version | 'metadata' field is not a dictionary | Warning |
license_field | 'license' field is missing | Warning |
body_output_format | No obvious output/return/format terms detected; consider specifying expected outputs | Warning |
body_steps | No step-by-step structure detected (no ordered list); consider adding a simple workflow | Warning |
Total | 12 / 16 Passed | |
Implementation
88%This is a well-crafted skill that efficiently delivers actionable security header configurations for multiple platforms. The content is lean, executable, and appropriately structured. The main weakness is the lack of an explicit implementation workflow with validation checkpoints, though the checklist and verification tools partially compensate.
Suggestions
Add a brief numbered workflow sequence (e.g., '1. Add headers 2. Test locally 3. Verify with securityheaders.com 4. Fix any issues 5. Deploy') to improve workflow clarity
Include guidance on what to do when verification tools report issues (feedback loop for error recovery)
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | Every section earns its place with no unnecessary explanation of what security headers are or why they matter. The table format efficiently conveys header-value pairs, and code examples are minimal but complete. | 3 / 3 |
Actionability | Provides fully executable code for both Express.js and Nginx configurations that can be copy-pasted directly. The helmet.js example includes realistic CSP directives, and the nginx config is production-ready. | 3 / 3 |
Workflow Clarity | While the checklist provides verification steps and external tools are listed, there's no explicit workflow sequence for implementing headers (e.g., 'configure -> test locally -> verify with tools -> deploy'). Missing feedback loop for what to do when verification fails. | 2 / 3 |
Progressive Disclosure | Clean structure with essential content inline and additional implementations (Python/Apache) appropriately delegated to a single reference file. Navigation is clear with well-signaled one-level-deep reference. | 3 / 3 |
Total | 11 / 12 Passed |
Activation
100%This is a well-crafted skill description that excels across all dimensions. It provides specific capabilities (configuring HTTP security headers against named attack vectors), includes natural trigger terms users would actually search for, explicitly states both what it does and when to use it, and occupies a clear niche that distinguishes it from other skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks.' Names specific attack types and the concrete action of configuring headers. | 3 / 3 |
Completeness | Clearly answers both what ('Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks') AND when ('Use when hardening web applications, passing security audits, or implementing Content Security Policy') with explicit trigger guidance. | 3 / 3 |
Trigger Term Quality | Includes natural keywords users would say: 'HTTP security headers', 'XSS', 'clickjacking', 'MIME sniffing', 'security audits', 'Content Security Policy', 'hardening web applications'. Good coverage of both technical terms and common phrases. | 3 / 3 |
Distinctiveness Conflict Risk | Clear niche focused specifically on HTTP security headers with distinct triggers like 'XSS', 'clickjacking', 'Content Security Policy', and 'security audits'. Unlikely to conflict with general web development or other security skills. | 3 / 3 |
Total | 12 / 12 Passed |
Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.