From aj-geddes-useful-ai-prompts-4
Configure HTTP security headers including CSP, HSTS, X-Frame-Options, and XSS protection. Use when hardening web applications against common attacks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aj-geddes-useful-ai-prompts-4:security-headers-configurationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- [Overview](#overview)
Implement comprehensive HTTP security headers to protect web applications from XSS, clickjacking, MIME sniffing, and other browser-based attacks.
Minimal working example:
// security-headers.js
const helmet = require("helmet");
function configureSecurityHeaders(app) {
// Comprehensive Helmet configuration
app.use(
helmet({
// Content Security Policy
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
"'unsafe-inline'", // Remove in production
"https://cdn.example.com",
"https://www.google-analytics.com",
],
styleSrc: [
"'self'",
"'unsafe-inline'",
"https://fonts.googleapis.com",
],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
imgSrc: ["'self'", "data:", "https:", "blob:"],
connectSrc: ["'self'", "https://api.example.com"],
// ... (see reference guides for full implementation)
Detailed implementations in the references/ directory:
| Guide | Contents |
|---|---|
| Node.js/Express Security Headers | Node.js/Express Security Headers |
| Nginx Security Headers Configuration | Nginx Security Headers Configuration |
| Python Flask Security Headers | Python Flask Security Headers |
| Apache .htaccess Configuration | Apache .htaccess Configuration |
| Security Headers Testing Script | Security Headers Testing Script |
npx claudepluginhub joshuarweaver/cascade-code-languages-misc-1 --plugin aj-geddes-useful-ai-prompts-4Configures HTTP security headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options for Express, Nginx, Flask. Protects against XSS, clickjacking, MIME sniffing; useful for hardening web apps and passing audits.
Configure security HTTP headers to mitigate XSS, clickjacking, MIME sniffing, and other browser-based attacks.
Configures HTTP security response headers (HSTS, CSP, X-Frame-Options, etc.) to harden web servers against clickjacking, MIME sniffing, and downgrade attacks. Based on OWASP best practices.