Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From grimoire
Configures HTTP security response headers (HSTS, CSP, X-Frame-Options, etc.) to harden web servers against clickjacking, MIME sniffing, and downgrade attacks. Based on OWASP best practices.
npx claudepluginhub jeffreytse/grimoire --plugin grimoireHow this skill is triggered — by the user, by Claude, or both
Slash command
/grimoire:apply-security-headersThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Configure the full set of HTTP security response headers to eliminate browser-level attack vectors — clickjacking, MIME sniffing, information disclosure, and downgrade attacks.
Verifies and configures HTTP security headers (HSTS, CSP, X-Frame-Options, etc.) for web servers, reverse proxies, and app middleware. Useful when reviewing or hardening security header configurations.
Configure security HTTP headers to mitigate XSS, clickjacking, MIME sniffing, and other browser-based attacks.
Configures HTTP security headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options for Express, Nginx, Flask. Protects against XSS, clickjacking, MIME sniffing; useful for hardening web apps and passing audits.
Share bugs, ideas, or general feedback.
Configure the full set of HTTP security response headers to eliminate browser-level attack vectors — clickjacking, MIME sniffing, information disclosure, and downgrade attacks.
Adopted by: OWASP Top 10 2021 A05 (Security Misconfiguration) cites missing security headers as a primary finding. PCI DSS v4.0 Requirement 6.2.4 requires protection against injection and misconfiguration. Mozilla Observatory, securityheaders.com, and Google's PageSpeed all include security header grading. GitHub, Google, Stripe, and all major cloud providers configure these headers by default in their platforms.
Impact: Scott Helme's analysis of the Alexa Top 1 Million sites (2023) found 72% lack HSTS, 80% lack CSP, and 60% lack X-Frame-Options — each representing an exploitable gap. HSTS alone eliminates SSL-stripping attacks (responsible for credential theft in public WiFi scenarios). Missing X-Content-Type-Options enables MIME-confusion attacks where text files execute as scripts.
Why best: Per-header configuration over a WAF or CDN setting — because WAFs can be bypassed and CDN configs can be overridden. Setting headers at the application layer ensures they're always present regardless of routing or proxy configuration.
Sources: OWASP HTTP Security Response Headers Cheat Sheet; Scott Helme Observatory data (2023); MDN Web Security; CWE-16
Set Strict-Transport-Security (HSTS) — force all connections to use HTTPS, including subdomains. Prevents SSL stripping.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
max-age=300 to test, then increase to 63072000 (2 years) before submitting to the HSTS preload list.hstspreload.org to be baked into browsers permanently.Set X-Content-Type-Options: nosniff — prevents browsers from MIME-sniffing responses away from the declared Content-Type.
X-Content-Type-Options: nosniff
Required when serving user-uploaded files — without it, a .jpg containing HTML may execute as text/html.
Set X-Frame-Options: DENY or SAMEORIGIN — prevents your pages from being embedded in iframes on attacker sites (clickjacking).
X-Frame-Options: DENY
Use SAMEORIGIN if your app embeds its own pages in iframes. Superseded by CSP frame-ancestors but keep both for legacy browser support.
Set Referrer-Policy — control how much referrer information is sent with cross-origin requests.
Referrer-Policy: strict-origin-when-cross-origin
Prevents leaking URL paths (which may contain session tokens or sensitive parameters) to third-party sites.
Set Permissions-Policy — restrict browser features (camera, microphone, geolocation) to only what your app needs.
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
Prevents malicious scripts or third-party embeds from accessing hardware APIs.
Set Content-Security-Policy — see apply-content-security-policy for the full guide. Minimum viable CSP:
Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'
Remove information-leaking headers — strip headers that reveal stack details:
# Remove these (configure in web server):
Server: Apache/2.4.51 → Server: (remove or set to generic value)
X-Powered-By: PHP/8.1 → remove entirely
X-AspNet-Version: 4.x → remove entirely
Nginx: server_tokens off;
Apache: ServerTokens Prod; ServerSignature Off
Express: app.disable('x-powered-by')
Verify with securityheaders.com — paste your URL to get an A–F grade and per-header findings.
preload is irreversible — once submitted, the domain is HTTPS-only in all browsers permanently. Test thoroughly before preloading.X-Frame-Options is deprecated in favor of CSP frame-ancestors but should still be set for IE11 and old Safari.Permissions-Policy syntax changed (from Feature-Policy) — use the newer form shown above.X-Content-Type-Options.nosniff.X-Frame-Options: ALLOWALL — this is not a valid value and is silently ignored.unsafe-inline to CSP thinking it helps — it removes CSP's XSS protection entirely.