npx claudepluginhub cwinvestments/memstack --plugin memstackThis skill uses the workspace's default tool permissions.
*Audit existing security headers, identify overly permissive directives, and generate a production-ready Content-Security-Policy with companion headers.*
Validates HTTP security headers in web app responses, identifies issues like missing CSP or HSTS, rates posture, checks OWASP compliance, and suggests fixes for XSS, clickjacking, and MIME sniffing.
Generates security headers configurations and provides step-by-step guidance for security fundamentals including authentication, input validation, secure coding, and vulnerability detection. Useful for web security tasks.
Configures HTTP security headers including CSP, HSTS, X-Frame-Options, XSS protection for Node.js/Express, Nginx, Flask, Apache. Hardens web apps against XSS, clickjacking, MIME sniffing.
Share bugs, ideas, or general feedback.
Audit existing security headers, identify overly permissive directives, and generate a production-ready Content-Security-Policy with companion headers.
When this skill activates, output:
π‘οΈ CSP Headers β Auditing your security headers...
| Context | Status |
|---|---|
| User says "CSP", "security headers", "Content-Security-Policy" | ACTIVE |
| User wants to fix unsafe-inline, unsafe-eval, or wildcard directives | ACTIVE |
| User mentions HSTS, X-Frame-Options, or Permissions-Policy | ACTIVE |
| User wants a full OWASP security audit (not just headers) | DORMANT β see owasp-top10 |
| User wants to scan for secrets in code | DORMANT β see secrets-scanner |
| User wants API-level security (auth, rate limiting) | DORMANT β see api-audit |
Ask the user for:
<script> tags or inline styles?Check for CSP and security headers in all possible locations:
Where to look:
next.config.js (headers() function), nginx.conf, Caddyfile<meta http-equiv="Content-Security-Policy" content="..."> in HTMLvercel.json, netlify.toml, _headers fileββ EXISTING HEADERS FOUND βββββββββββββββββ
Location: [file:line or "not found"]
Content-Security-Policy:
[current policy or "MISSING"]
Strict-Transport-Security:
[current value or "MISSING"]
X-Content-Type-Options:
[current value or "MISSING"]
X-Frame-Options:
[current value or "MISSING"]
Referrer-Policy:
[current value or "MISSING"]
Permissions-Policy:
[current value or "MISSING"]
X-XSS-Protection:
[current value or "MISSING β deprecated but still useful for older browsers"]
If a CSP exists, audit each directive for security issues:
| Directive | Current Value | Issue | Severity | Fix |
|---|---|---|---|---|
default-src | * | Allows loading from any origin | π΄ Critical | Restrict to known origins |
script-src | 'unsafe-inline' | Allows inline scripts β XSS vector | π΄ Critical | Use nonces or hashes |
script-src | 'unsafe-eval' | Allows dynamic code execution β injection risk | π‘ High | Remove, refactor code |
style-src | 'unsafe-inline' | Allows inline styles β less severe | π Medium | Use nonces if feasible |
img-src | * | Allows images from any origin | π Medium | Restrict to known CDNs |
frame-ancestors | missing | No clickjacking protection | π‘ High | Add 'self' or 'none' |
connect-src | missing | No restriction on fetch/XHR targets | π Medium | Restrict to API origins |
base-uri | missing | Base tag injection possible | π‘ High | Add 'self' |
form-action | missing | Forms can submit to any origin | π Medium | Add 'self' |
object-src | missing | Plugin content allowed | π‘ High | Add 'none' |
Common dangerous patterns:
BAD: default-src * β Defeats the entire purpose of CSP
BAD: script-src 'unsafe-inline' β XSS protection nullified
BAD: script-src 'unsafe-eval' β Dynamic code execution permitted
BAD: script-src https: β Any HTTPS origin can serve scripts
BAD: script-src *.googleapis.com β JSONP endpoints can bypass CSP
BAD: connect-src * β Data exfiltration unrestricted
BAD: frame-ancestors not set β Clickjacking possible
Identify all external resources the application loads:
ββ RESOURCE INVENTORY βββββββββββββββββββββ
Scripts (script-src):
- https://www.googletagmanager.com β Google Tag Manager
- https://js.stripe.com β Stripe.js
- https://cdn.jsdelivr.net β jsDelivr CDN
- 'self' β Own domain scripts
Styles (style-src):
- https://fonts.googleapis.com β Google Fonts CSS
- 'self' β Own stylesheets
- 'unsafe-inline' β Needed for: [reason]
Fonts (font-src):
- https://fonts.gstatic.com β Google Fonts files
- 'self' β Self-hosted fonts
Images (img-src):
- https://res.cloudinary.com β Cloudinary images
- https://*.githubusercontent.com β GitHub avatars
- data: β Data URI images
- 'self' β Own images
Connections (connect-src):
- https://api.example.com β Own API
- https://api.stripe.com β Stripe API
- https://www.google-analytics.com β Analytics
- 'self' β Same-origin requests
Frames (frame-src):
- https://js.stripe.com β Stripe checkout iframe
- https://www.youtube.com β Embedded videos
- 'none' β If no iframes needed
Build a CSP policy based on actual resource usage:
ββ RECOMMENDED CSP ββββββββββββββββββββββββ
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-{SERVER_GENERATED}' https://www.googletagmanager.com https://js.stripe.com;
style-src 'self' 'nonce-{SERVER_GENERATED}' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
img-src 'self' https://res.cloudinary.com data:;
connect-src 'self' https://api.stripe.com https://www.google-analytics.com;
frame-src https://js.stripe.com https://www.youtube.com;
frame-ancestors 'self';
base-uri 'self';
form-action 'self';
object-src 'none';
upgrade-insecure-requests;
Nonce-based script loading (recommended over 'unsafe-inline'):
// Express/Next.js middleware example
const crypto = require('crypto');
function cspMiddleware(req, res, next) {
const nonce = crypto.randomBytes(16).toString('base64');
res.locals.cspNonce = nonce;
res.setHeader('Content-Security-Policy', [
"default-src 'self'",
`script-src 'self' 'nonce-${nonce}'`,
`style-src 'self' 'nonce-${nonce}'`,
"font-src 'self' https://fonts.gstatic.com",
"img-src 'self' data:",
"connect-src 'self'",
"frame-ancestors 'self'",
"base-uri 'self'",
"form-action 'self'",
"object-src 'none'",
"upgrade-insecure-requests",
].join('; '));
next();
}
<!-- Use nonce in script/style tags -->
<script nonce="<%= cspNonce %>">
// Inline script allowed by nonce
</script>
Hash-based alternative (for static inline scripts):
# Generate hash for a known inline script
echo -n "console.log('hello')" | openssl dgst -sha256 -binary | openssl enc -base64
# Result: 'sha256-xxxxxxxxx'
# Add to CSP: script-src 'sha256-xxxxxxxxx'
CSP alone isn't enough. Generate the full security headers suite:
ββ COMPLETE SECURITY HEADERS ββββββββββββββ
# HSTS β Force HTTPS for all future visits
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
# Prevent MIME type sniffing attacks
X-Content-Type-Options: nosniff
# Clickjacking protection (legacy β frame-ancestors in CSP is preferred)
X-Frame-Options: SAMEORIGIN
# Control referrer information leakage
Referrer-Policy: strict-origin-when-cross-origin
# Restrict browser features
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=self
# Legacy XSS filter (deprecated but harmless)
X-XSS-Protection: 0
Header explanations:
| Header | Purpose | Recommended Value |
|---|---|---|
Strict-Transport-Security | Force HTTPS, prevent SSL stripping | max-age=63072000; includeSubDomains; preload |
X-Content-Type-Options | Prevent MIME sniffing (serving JS as image) | nosniff |
X-Frame-Options | Prevent clickjacking (legacy, CSP preferred) | SAMEORIGIN or DENY |
Referrer-Policy | Control referer header leakage | strict-origin-when-cross-origin |
Permissions-Policy | Disable unused browser APIs | Disable camera, mic, geo unless needed |
X-XSS-Protection | Legacy XSS filter | 0 (disable β can cause issues, CSP is better) |
Always deploy CSP in report-only mode first to avoid breaking production:
ββ DEPLOYMENT STRATEGY ββββββββββββββββββββ
Phase 1: REPORT-ONLY (1-2 weeks)
Header: Content-Security-Policy-Report-Only
Purpose: Collect violations without blocking anything
Report endpoint: /api/csp-report
Phase 2: ENFORCE (after zero violations)
Header: Content-Security-Policy
Purpose: Block unauthorized resources
Keep report-uri for ongoing monitoring
Report-only header:
Content-Security-Policy-Report-Only:
[same policy as above];
report-uri /api/csp-report;
report-to csp-endpoint
Violation report handler:
// POST /api/csp-report
app.post('/api/csp-report', express.json({ type: 'application/csp-report' }), (req, res) => {
const report = req.body['csp-report'];
console.warn('CSP Violation:', {
blockedUri: report['blocked-uri'],
directive: report['violated-directive'],
documentUri: report['document-uri'],
sourceFile: report['source-file'],
lineNumber: report['line-number'],
});
res.status(204).end();
});
Common violations to expect:
data: to img-src if needed)Next.js (next.config.js):
const securityHeaders = [
{ key: 'Content-Security-Policy', value: "default-src 'self'; ..." },
{ key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'X-Frame-Options', value: 'SAMEORIGIN' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
];
module.exports = {
async headers() {
return [{ source: '/(.*)', headers: securityHeaders }];
},
};
Express middleware:
app.use((req, res, next) => {
res.setHeader('Content-Security-Policy', "default-src 'self'; ...");
res.setHeader('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload');
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
next();
});
Nginx:
add_header Content-Security-Policy "default-src 'self'; ..." always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
Caddy:
header {
Content-Security-Policy "default-src 'self'; ..."
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "strict-origin-when-cross-origin"
Permissions-Policy "camera=(), microphone=(), geolocation=()"
}
Vercel (vercel.json):
{
"headers": [
{
"source": "/(.*)",
"headers": [
{ "key": "Content-Security-Policy", "value": "default-src 'self'; ..." },
{ "key": "Strict-Transport-Security", "value": "max-age=63072000; includeSubDomains; preload" },
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{ "key": "X-Frame-Options", "value": "SAMEORIGIN" },
{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" },
{ "key": "Permissions-Policy", "value": "camera=(), microphone=(), geolocation=()" }
]
}
]
}
Present the complete security headers audit and configuration:
βββ SECURITY HEADERS REPORT ββββββββββββββ
Project: [name]
Framework: [framework]
Hosting: [platform]
ββ AUDIT RESULTS ββββββββββββββββββββββββββ
Headers found: [X] of 6
Issues found: [count]
π΄ Critical: [count]
π‘ High: [count]
π Medium: [count]
ββ ISSUES βββββββββββββββββββββββββββββββββ
[directive-level audit table]
ββ RESOURCE INVENTORY βββββββββββββββββββββ
[categorized external resources]
ββ RECOMMENDED CSP ββββββββββββββββββββββββ
[complete CSP policy]
ββ COMPANION HEADERS ββββββββββββββββββββββ
[HSTS, X-Content-Type-Options, etc.]
ββ IMPLEMENTATION βββββββββββββββββββββββββ
[framework-specific config, copy-paste ready]
ββ DEPLOYMENT PLAN ββββββββββββββββββββββββ
Phase 1: Report-only ([duration])
Phase 2: Enforce (after zero violations)
Report endpoint: [handler code]
ββ SECURITY SCORE βββββββββββββββββββββββββ
Score: [A+ / A / B / C / D / F]
CSP: [pass/fail]
HSTS: [pass/fail]
X-Content-Type: [pass/fail]
X-Frame-Options: [pass/fail]
Referrer-Policy: [pass/fail]
Permissions: [pass/fail]
Grading: