Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From prodsec-skills
Verifies and configures HTTP response security headers including HSTS, CSP, X-Frame-Options, and more. Useful when reviewing web server, reverse proxy, or application middleware header settings.
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:http-security-headersThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Forces HTTPS connections for a specified period, preventing protocol downgrade and MITM attacks.
Validates HTTP security headers in web app responses, identifies issues like missing CSP or HSTS, rates posture, checks OWASP compliance, and suggests fixes for XSS, clickjacking, and MIME sniffing.
Configure security HTTP headers to mitigate XSS, clickjacking, MIME sniffing, and other browser-based attacks.
Configures HTTP security headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options for Express, Nginx, Flask. Protects against XSS, clickjacking, MIME sniffing; useful for hardening web apps and passing audits.
Share bugs, ideas, or general feedback.
Forces HTTPS connections for a specified period, preventing protocol downgrade and MITM attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
max-age to at least one year (31536000 seconds)includeSubDomains to protect all subdomainspreload only after verifying all subdomains support HTTPS, then submit to the HSTS preload listControls whether a page can be rendered in a frame or iframe, mitigating clickjacking.
X-Frame-Options: DENY
DENY to prevent framing entirelySAMEORIGIN only when the application legitimately embeds its own pagesframe-ancestors CSP directive for more granular controlPrevents MIME sniffing, forcing the browser to use the declared Content-Type.
X-Content-Type-Options: nosniff
Instructs older browsers to activate built-in XSS filtering.
X-XSS-Protection: 1; mode=block
mode=block to block the entire page rather than attempting to sanitizeDefines trusted sources for scripts, styles, images, and other resources. The most powerful header for preventing XSS and code injection.
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none'
Content-Security-Policy-Report-Only first to monitor violations without breaking functionalityunsafe-inline and unsafe-eval for script-src; use nonces or hashes insteadobject-src 'none' to block plugins (Flash, Java)frame-ancestors 'none' to replace X-Frame-OptionsControls how much referrer information is sent with requests, protecting user privacy.
Referrer-Policy: strict-origin-when-cross-origin
no-referrer when maximum privacy is requiredsame-origin to send referrer only on same-origin requestsstrict-origin-when-cross-origin as a balanced defaultControls caching behavior for responses. Misconfigured caching of sensitive data is a common vulnerability.
Sensitive responses (authentication, personal data, tokens):
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Static assets (images, fonts, versioned bundles):
Cache-Control: public, max-age=31536000, immutable
no-store for any response containing user-specific or sensitive dataprivate when content is user-specific but cacheable by the browsermax-age >= 31536000 and includeSubDomainsX-Frame-Options: DENY or CSP frame-ancestors 'none' is setX-Content-Type-Options: nosniff is present on all responsesunsafe-inline or unsafe-eval for scriptsReferrer-Policy is set to strict-origin-when-cross-origin or stricterCache-Control: no-storeCache-Control with versioned filenames