Skill

analyzing-security-headers

Analyzes HTTP/HTTPS security headers for vulnerabilities, misconfigurations, OWASP compliance, cookie issues, and info leaks. Assigns grades and suggests Nginx/Apache/Cloudflare fixes.

Nginx

Cloudflare

security

npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin security-headers-analyzer

Tool Access

This skill is limited to using the following tools:

ReadWebFetchWebSearchGrep

Preview

Evaluate HTTP response headers for web applications against OWASP Secure Headers Project recommendations and browser security baselines. Identify missing, misconfigured, or information-leaking headers across both HTTP and HTTPS responses.

Supporting Assets

assets/README.mdreferences/README.mdreferences/errors.mdreferences/examples.mdreferences/implementation.mdscripts/README.mdscripts/analyze_headers.pyscripts/generate_report.py

SKILL.md

Similar Skills

security-headers

Validates HTTP security headers in web app responses, identifies issues like missing CSP or HSTS, rates posture, checks OWASP compliance, and suggests fixes for XSS, clickjacking, and MIME sniffing.

devkit

headers

Analyzes HTTP security headers for a given URL with context-aware grading on exploitable risks, WHY explanations, and exact fix commands. Ideal for web security reviews.

sentinel

performing-security-headers-audit

Audits HTTP security headers including CSP, HSTS, X-Frame-Options, and Cookie attributes using curl scripts and tools like SecurityHeaders.com to identify missing or misconfigured web protections.

3 files

cybersecurity-skills-zh

Stats

Parent Repo Stars1854

Parent Repo Forks248

Last CommitApr 3, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Analyzing Security Headers

Overview

Prerequisites

Target URL or domain name accessible over the network
Authorization to perform HTTP requests against the target domain
Network connectivity for both HTTP and HTTPS protocols
Optional: write access to ${CLAUDE_SKILL_DIR}/security-reports/ for persisting results

Instructions

Accept the target domain. If only a domain name is provided, default to https://. For batch analysis, accept a newline-separated list.
Fetch response headers using WebFetch for both HTTP and HTTPS endpoints. Record the full redirect chain and final destination URL.
Evaluate critical headers -- flag any that are missing or misconfigured:
- Strict-Transport-Security: require max-age>=31536000, includeSubDomains, and preload eligibility
- Content-Security-Policy: check for unsafe-inline, unsafe-eval, overly broad default-src, and missing frame-ancestors
- X-Frame-Options: require DENY or SAMEORIGIN
- X-Content-Type-Options: require nosniff
- Permissions-Policy: verify camera, microphone, geolocation restrictions
Evaluate important headers -- report status and recommendations:
- Referrer-Policy: recommend strict-origin-when-cross-origin or no-referrer
- Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP)
Check for information disclosure -- flag Server, X-Powered-By, X-AspNet-Version, and any header revealing technology stack or version numbers.
Inspect cookie attributes on Set-Cookie headers: verify Secure, HttpOnly, SameSite=Lax|Strict, and __Host-/__Secure- prefix usage.
Calculate a security grade: A+ (95-100), A (85-94), B (75-84), C (65-74), D (50-64), F (<50) based on weighted presence and correctness of each header.
Generate per-header remediation directives with configuration examples for Nginx, Apache, and Cloudflare.

See ${CLAUDE_SKILL_DIR}/references/implementation.md for the five-phase implementation workflow.

Output

Headers Analysis Report: overall grade, per-header status (present/missing/misconfigured), and risk impact
Remediation Checklist: prioritized fixes with server configuration snippets
Cookie Security Assessment: attribute compliance for each Set-Cookie header
Comparison Table: side-by-side HTTP vs. HTTPS header differences

Error Handling

Error	Cause	Solution
Failed to connect to domain	DNS resolution failure, firewall block, or domain down	Verify domain spelling and DNS records; test alternate protocols
SSL certificate verification failed	Expired, self-signed, or mismatched certificate	Note TLS issue in report; indicates HSTS not properly enforced
Too many redirects	Redirect loop between HTTP and HTTPS	Report the redirect chain and analyze headers at each hop
HTTP 429 Too Many Requests	Rate limiting by target server	Implement backoff; queue domain for delayed re-analysis
Headers differ between HTTP and HTTPS	Inconsistent server configuration	Report both sets; highlight critical differences and flag HSTS gap

Examples

"Analyze security headers for https://claudecodeplugins.io and explain any CSP or HSTS issues."
"Check headers for example.com on both HTTP and HTTPS and provide an Nginx remediation config."
"Batch-analyze headers for five staging domains and rank them by security grade."

Resources

OWASP Secure Headers Project: https://owasp.org/www-project-secure-headers/
MDN Security Headers Guide: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security
Security Headers Scanner: https://securityheaders.com/
Content Security Policy Reference: https://content-security-policy.com/
HSTS Preload Submission: https://hstspreload.org/
${CLAUDE_SKILL_DIR}/references/errors.md -- full error handling reference
${CLAUDE_SKILL_DIR}/references/examples.md -- additional usage examples
https://intentsolutions.io