analyzing-security-headers
About
This skill analyzes HTTP security headers for web domains to identify vulnerabilities and misconfigurations like CSP and HSTS. It's triggered by phrases like "analyze security headers" and uses web fetching tools to audit compliance and provide security recommendations. Developers can use it to quickly assess website security posture and get actionable improvement guidance.
Quick Install
Claude Code
Recommended/plugin add https://github.com/jeremylongshore/claude-code-plugins-plusgit clone https://github.com/jeremylongshore/claude-code-plugins-plus.git ~/.claude/skills/analyzing-security-headersCopy and paste this command in Claude Code to install this skill
Documentation
Prerequisites
Before using this skill, ensure:
- Target URL or domain name is accessible
- Network connectivity for HTTP requests
- Permission to scan the target domain
- Optional: Save results to {baseDir}/security-reports/
Instructions
1. Domain Input Phase
Accept domain specification:
- Full URL with protocol (https://example.com)
- Domain name only (example.com - will test HTTPS first)
- Multiple domains for batch analysis
- Specific paths for header variation testing
2. Header Fetching Phase
Retrieve HTTP response headers:
- Make HEAD or GET request to target
- Capture all security-relevant headers
- Test both HTTP and HTTPS responses
- Record redirect chains and final destination
3. Analysis Phase
Evaluate each security header against best practices:
Critical Headers:
- Strict-Transport-Security (HSTS)
- Content-Security-Policy (CSP)
- X-Frame-Options
- X-Content-Type-Options
- Permissions-Policy
Important Headers:
- Referrer-Policy
- Cross-Origin-Embedder-Policy (COEP)
- Cross-Origin-Opener-Policy (COOP)
- Cross-Origin-Resource-Policy (CORP)
Additional Checks:
- Server header information disclosure
- X-Powered-By header exposure
- Cookie security attributes (Secure, HttpOnly, SameSite)
4. Grading Phase
Calculate security score:
- A+ (95-100): All critical headers properly configured
- A (85-94): Critical headers present, minor issues
- B (75-84): Most headers present, some weaknesses
- C (65-74): Missing critical headers
- D (50-64): Significant security gaps
- F (<50): Multiple critical vulnerabilities
5. Report Generation Phase
Create comprehensive report with:
- Overall security grade and numeric score
- Missing headers with impact assessment
- Misconfigured headers with specific issues
- Remediation recommendations with examples
- Priority ranking for fixes
Output
The skill produces:
Primary Output: Security headers analysis report
Report Structure:
# Security Headers Analysis - example.com
## Overall Grade: B (82/100)
## Critical Headers Status
✅ Strict-Transport-Security: Present (max-age=31536000; includeSubDomains)
❌ Content-Security-Policy: Missing
✅ X-Frame-Options: Present (DENY)
✅ X-Content-Type-Options: Present (nosniff)
⚠️ Permissions-Policy: Misconfigured
## Detailed Findings
### Missing Headers (High Priority)
1. Content-Security-Policy
- Risk: XSS vulnerability exposure
- Recommendation: Implement strict CSP
- Example: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
### Misconfigured Headers
1. Permissions-Policy
- Current: geolocation=*
- Issue: Allows all origins
- Fix: geolocation=(self)
## Priority Actions
1. Add Content-Security-Policy (Critical)
2. Fix Permissions-Policy wildcard (High)
3. Add Referrer-Policy (Medium)
Optional Outputs:
- JSON format for automation: {baseDir}/security-reports/headers-DOMAIN-YYYYMMDD.json
- CSV for spreadsheet analysis
- Comparison report for multiple domains
Error Handling
Common Issues and Resolutions:
-
Domain Unreachable
- Error: "Failed to connect to example.com"
- Resolution: Check domain spelling, network connectivity, firewall rules
- Fallback: Test alternate protocols (HTTP vs HTTPS)
-
SSL/TLS Errors
- Error: "SSL certificate verification failed"
- Resolution: Note in report, test with certificate validation disabled
- Impact: Indicates HSTS not properly enforced
-
Redirect Loops
- Error: "Too many redirects"
- Resolution: Report redirect chain, analyze headers at each hop
- Note: Headers may differ across redirect chain
-
Rate Limiting
- Error: "HTTP 429 Too Many Requests"
- Resolution: Implement exponential backoff, reduce request frequency
- Fallback: Queue domain for later analysis
-
Mixed Content Issues
- Error: "Headers differ between HTTP and HTTPS"
- Resolution: Report both sets, highlight critical differences
- Recommendation: Ensure HSTS enforces HTTPS-only
Resources
Security Header References:
- OWASP Secure Headers Project: https://owasp.org/www-project-secure-headers/
- MDN Security Headers Guide: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security
- Security Headers Scanner: https://securityheaders.com/
Header-Specific Documentation:
- CSP Reference: https://content-security-policy.com/
- HSTS Preload: https://hstspreload.org/
- Permissions Policy: https://www.w3.org/TR/permissions-policy/
Best Practice Guides:
- NIST Web Security Guidelines: https://pages.nist.gov/800-63-3/
- Mozilla Observatory: https://observatory.mozilla.org/
Testing Tools:
- Online header checker: https://securityheaders.com/
- Browser DevTools Network tab for manual inspection
- curl command for command-line testing:
curl -I https://example.com
Integration Examples:
- Automated header checks in CI/CD pipelines
- Periodic scanning with alerting on grade degradation
- Compliance reporting for security audits
GitHub Repository
Related Skills
sglang
MetaSGLang is a high-performance LLM serving framework that specializes in fast, structured generation for JSON, regex, and agentic workflows using its RadixAttention prefix caching. It delivers significantly faster inference, especially for tasks with repeated prefixes, making it ideal for complex, structured outputs and multi-turn conversations. Choose SGLang over alternatives like vLLM when you need constrained decoding or are building applications with extensive prefix sharing.
evaluating-llms-harness
TestingThis Claude Skill runs the lm-evaluation-harness to benchmark LLMs across 60+ standardized academic tasks like MMLU and GSM8K. It's designed for developers to compare model quality, track training progress, or report academic results. The tool supports various backends including HuggingFace and vLLM models.
llamaguard
OtherLlamaGuard is Meta's 7-8B parameter model for moderating LLM inputs and outputs across six safety categories like violence and hate speech. It offers 94-95% accuracy and can be deployed using vLLM, Hugging Face, or Amazon SageMaker. Use this skill to easily integrate content filtering and safety guardrails into your AI applications.
langchain
MetaLangChain is a framework for building LLM applications using agents, chains, and RAG pipelines. It supports multiple LLM providers, offers 500+ integrations, and includes features like tool calling and memory management. Use it for rapid prototyping and deploying production systems like chatbots, autonomous agents, and question-answering services.