Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From security-headers-configuration
Configures HTTP security headers like HSTS, CSP, X-Frame-Options, X-Content-Type-Options for Express, Nginx, Flask. Protects against XSS, clickjacking, MIME sniffing; useful for hardening web apps and passing audits.
npx claudepluginhub secondsky/claude-skills --plugin security-headers-configurationHow this skill is triggered — by the user, by Claude, or both
Slash command
/security-headers-configuration:security-headers-configurationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Implement HTTP security headers to defend against common browser-based attacks.
Configure security HTTP headers to mitigate XSS, clickjacking, MIME sniffing, and other browser-based attacks.
Configures HTTP security response headers (HSTS, CSP, X-Frame-Options, etc.) to harden web servers against clickjacking, MIME sniffing, and downgrade attacks. Based on OWASP best practices.
Configures HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) using Helmet.js to protect web apps against XSS, clickjacking, MIME sniffing, and info leakage.
Share bugs, ideas, or general feedback.
Implement HTTP security headers to defend against common browser-based attacks.
| Header | Purpose | Value |
|---|---|---|
| HSTS | Force HTTPS | max-age=31536000; includeSubDomains |
| CSP | Restrict resources | default-src 'self' |
| X-Frame-Options | Prevent clickjacking | DENY |
| X-Content-Type-Options | Prevent MIME sniffing | nosniff |
const helmet = require('helmet');
app.use(helmet());
// Custom CSP
app.use(helmet.contentSecurityPolicy({
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "https:"],
connectSrc: ["'self'", "https://api.example.com"],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
frameAncestors: ["'none'"]
}
}));
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
See references/python-apache.md for: