Stats
Actions
Tags
From prodsec-skills
Verifies and configures HTTP security headers (HSTS, CSP, X-Frame-Options, etc.) for web servers, reverse proxies, and app middleware. Useful when reviewing or hardening security header configurations.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:http-security-headersThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Forces HTTPS connections for a specified period, preventing protocol downgrade and MITM attacks.
Forces HTTPS connections for a specified period, preventing protocol downgrade and MITM attacks.
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
max-age to at least one year (31536000 seconds)includeSubDomains to protect all subdomainspreload only after verifying all subdomains support HTTPS, then submit to the HSTS preload listControls whether a page can be rendered in a frame or iframe, mitigating clickjacking.
X-Frame-Options: DENY
DENY to prevent framing entirelySAMEORIGIN only when the application legitimately embeds its own pagesframe-ancestors CSP directive for more granular controlPrevents MIME sniffing, forcing the browser to use the declared Content-Type.
X-Content-Type-Options: nosniff
Instructs older browsers to activate built-in XSS filtering.
X-XSS-Protection: 1; mode=block
mode=block to block the entire page rather than attempting to sanitizeDefines trusted sources for scripts, styles, images, and other resources. The most powerful header for preventing XSS and code injection.
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none'
Content-Security-Policy-Report-Only first to monitor violations without breaking functionalityunsafe-inline and unsafe-eval for script-src; use nonces or hashes insteadobject-src 'none' to block plugins (Flash, Java)frame-ancestors 'none' to replace X-Frame-OptionsControls how much referrer information is sent with requests, protecting user privacy.
Referrer-Policy: strict-origin-when-cross-origin
no-referrer when maximum privacy is requiredsame-origin to send referrer only on same-origin requestsstrict-origin-when-cross-origin as a balanced defaultControls caching behavior for responses. Misconfigured caching of sensitive data is a common vulnerability.
Sensitive responses (authentication, personal data, tokens):
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Static assets (images, fonts, versioned bundles):
Cache-Control: public, max-age=31536000, immutable
no-store for any response containing user-specific or sensitive dataprivate when content is user-specific but cacheable by the browsermax-age >= 31536000 and includeSubDomainsX-Frame-Options: DENY or CSP frame-ancestors 'none' is setX-Content-Type-Options: nosniff is present on all responsesunsafe-inline or unsafe-eval for scriptsReferrer-Policy is set to strict-origin-when-cross-origin or stricterCache-Control: no-storeCache-Control with versioned filenamesnpx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsConfigures HTTP security response headers (HSTS, CSP, X-Frame-Options, etc.) to harden web servers against clickjacking, MIME sniffing, and downgrade attacks. Based on OWASP best practices.
Configure security HTTP headers to mitigate XSS, clickjacking, MIME sniffing, and other browser-based attacks.
Validates HTTP security headers in web app responses, identifies issues like missing CSP or HSTS, rates posture, checks OWASP compliance, and suggests fixes for XSS, clickjacking, and MIME sniffing.