performing-security-headers-audit

Featured

Auditing HTTP security headers including CSP, HSTS, X-Frame-Options, and cookie attributes to identify missing or misconfigured browser-level protections.

AI & Automation 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Security Headers Audit ## When to Use - During authorized web application security assessments as a standard configuration review - When evaluating browser-level protections against XSS, clickjacking, and data leakage - For compliance assessments requiring security header implementation (PCI DSS, SOC 2) - When performing initial reconnaissance to identify easy-win security improvements - During CI/CD pipeline security gate checks for new deployments ## Prerequisites - **Authorization**: Written scope for the target application (header review is low-risk) - **curl**: For fetching response headers from target endpoints - **SecurityHeaders.com**: Online scanner for quick header assessment - **Mozilla Observatory**: Mozilla's web security testing tool - **Burp Suite**: For comprehensive header analysis across multiple pages - **Browser DevTools**: For examining headers and CSP violations in real-time ## Workflow ### Step 1: Collect Security Headers from Target Retrieve and catalog all security-related response headers. ```bash # Fetch all response headers curl -s -I "https://target.example.com/" | grep -iE \ "(strict-transport|content-security|x-frame|x-content-type|x-xss|referrer-policy|permissions-policy|feature-policy|x-permitted|cross-origin|set-cookie|server|x-powered-by|cache-control)" # Check headers across multiple pages PAGES=("/" "/login" "/api/health" "/admin" "/account/settings" "/static/app.js") for page in "${PAGES[@]}"; do echo "=== $page...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Listed

security-headers

Validate and implement HTTP security headers to protect web applications.

335 Updated today
aiskillstore
AI & Automation Solid

security-headers-configuration

Configures HTTP security headers to protect against XSS, clickjacking, and MIME sniffing attacks. Use when hardening web applications, passing security audits, or implementing Content Security Policy.

162 Updated 2 weeks ago
secondsky
AI & Automation Solid

http-header-security-audit

Execute http header security audit operations. Auto-activating skill for Security Fundamentals. Triggers on: http header security audit, http header security audit Part of the Security Fundamentals skill category. Use when analyzing or auditing http header security audit. Trigger with phrases like "http header security audit", "http audit", "http".

2,274 Updated today
jeremylongshore
Web & Frontend Listed

saas-frontend-hardening

Audit web frontend security including Content Security Policy (CSP), Subresource Integrity (SRI), XSS prevention, clickjacking protection, secure cookies (SameSite/HttpOnly/Secure), postMessage origin validation, Trusted Types, and security headers. Use this skill whenever the user asks about CSP, XSS, frontend security, secure cookies, clickjacking, security headers, SRI, sandbox iframes, Trusted Types, or "audit my web app security". Trigger on phrases like "audit my CSP", "review my security headers", "XSS protection", "secure cookies", "clickjacking", "frontend hardening", "CORB", "report-uri". Use this even when only one header or topic is mentioned.

1 Updated 1 weeks ago
hlsitechio
Web & Frontend Listed

web-platform-security

Audit browser-enforced security primitives every web app depends on: CORS, Content Security Policy (CSP with nonces and Trusted Types), cross-origin isolation (COOP/COEP/CORP), modern cookies (SameSite, __Host- prefix, CHIPS Partitioned), Permissions-Policy, Subresource Integrity, HSTS, Referrer-Policy, iframe sandboxing, postMessage origin checks, Private Network Access (PNA), WebAuthn/Passkeys, and FedCM. Sourced from web.dev, developer.chrome.com, and the Fetch/HTML/Cookies/WebAuthn specs. Use when the user asks about security headers, CORS, CSP design, secure cookies, cross-origin isolation, SharedArrayBuffer requirements, clickjacking, mixed content, HSTS preload, sandboxed iframes, passkeys, FedCM, PNA, partitioned cookies, or 'audit my browser security'. Triggers: 'review my CSP', 'audit my CORS', 'are my cookies safe', 'enable cross-origin isolation', 'set up Trusted Types', 'WebAuthn integration', 'CHIPS cookies'. Use even when only one primitive is mentioned.

1 Updated 1 weeks ago
hlsitechio