analyzing-security-headersClaude Skill
Analyze HTTP security headers of web domains to identify vulnerabilities and misconfigurations.
1.9k Stars
261 Forks
2025/10/10
| name | analyzing-security-headers |
| description | Analyze HTTP security headers of web domains to identify vulnerabilities and misconfigurations. Use when you need to audit website security headers, assess header compliance, or get security recommendations for web applications. Trigger with phrases like "analyze security headers", "check HTTP headers", "audit website security headers", or "evaluate CSP and HSTS configuration". |
| allowed-tools | Read, WebFetch, WebSearch, Grep |
| version | 1.0.0 |
| author | Jeremy Longshore <jeremy@intentsolutions.io> |
| license | MIT |
| compatible-with | claude-code, codex, openclaw |
| tags | ["security","compliance","audit"] |
Analyzing Security Headers
Overview
Evaluate HTTP response headers for web applications against OWASP Secure Headers Project recommendations and browser security baselines. Identify missing, misconfigured, or information-leaking headers across both HTTP and HTTPS responses.
Prerequisites
- Target URL or domain name accessible over the network
- Authorization to perform HTTP requests against the target domain
- Network connectivity for both HTTP and HTTPS protocols
- Optional: write access to
${CLAUDE_SKILL_DIR}/security-reports/for persisting results
Instructions
- Accept the target domain. If only a domain name is provided, default to
https://. For batch analysis, accept a newline-separated list. - Fetch response headers using
WebFetchfor both HTTP and HTTPS endpoints. Record the full redirect chain and final destination URL. - Evaluate critical headers -- flag any that are missing or misconfigured:
Strict-Transport-Security: requiremax-age>=31536000,includeSubDomains, and preload eligibilityContent-Security-Policy: check forunsafe-inline,unsafe-eval, overly broaddefault-src, and missingframe-ancestorsX-Frame-Options: requireDENYorSAMEORIGINX-Content-Type-Options: requirenosniffPermissions-Policy: verify camera, microphone, geolocation restrictions
- Evaluate important headers -- report status and recommendations:
Referrer-Policy: recommendstrict-origin-when-cross-originorno-referrerCross-Origin-Embedder-Policy(COEP),Cross-Origin-Opener-Policy(COOP),Cross-Origin-Resource-Policy(CORP)
- Check for information disclosure -- flag
Server,X-Powered-By,X-AspNet-Version, and any header revealing technology stack or version numbers. - Inspect cookie attributes on
Set-Cookieheaders: verifySecure,HttpOnly,SameSite=Lax|Strict, and__Host-/__Secure-prefix usage. - Calculate a security grade: A+ (95-100), A (85-94), B (75-84), C (65-74), D (50-64), F (<50) based on weighted presence and correctness of each header.
- Generate per-header remediation directives with configuration examples for Nginx, Apache, and Cloudflare.
See ${CLAUDE_SKILL_DIR}/references/implementation.md for the five-phase implementation workflow.
Output
- Headers Analysis Report: overall grade, per-header status (present/missing/misconfigured), and risk impact
- Remediation Checklist: prioritized fixes with server configuration snippets
- Cookie Security Assessment: attribute compliance for each
Set-Cookieheader - Comparison Table: side-by-side HTTP vs. HTTPS header differences
Error Handling
| Error | Cause | Solution |
|---|---|---|
| Failed to connect to domain | DNS resolution failure, firewall block, or domain down | Verify domain spelling and DNS records; test alternate protocols |
| SSL certificate verification failed | Expired, self-signed, or mismatched certificate | Note TLS issue in report; indicates HSTS not properly enforced |
| Too many redirects | Redirect loop between HTTP and HTTPS | Report the redirect chain and analyze headers at each hop |
| HTTP 429 Too Many Requests | Rate limiting by target server | Implement backoff; queue domain for delayed re-analysis |
| Headers differ between HTTP and HTTPS | Inconsistent server configuration | Report both sets; highlight critical differences and flag HSTS gap |
Examples
- "Analyze security headers for
https://claudecodeplugins.ioand explain any CSP or HSTS issues." - "Check headers for
example.comon both HTTP and HTTPS and provide an Nginx remediation config." - "Batch-analyze headers for five staging domains and rank them by security grade."
Resources
- OWASP Secure Headers Project: https://owasp.org/www-project-secure-headers/
- MDN Security Headers Guide: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security
- Security Headers Scanner: https://securityheaders.com/
- Content Security Policy Reference: https://content-security-policy.com/
- HSTS Preload Submission: https://hstspreload.org/
${CLAUDE_SKILL_DIR}/references/errors.md-- full error handling reference${CLAUDE_SKILL_DIR}/references/examples.md-- additional usage examples- https://intentsolutions.io
Similar Claude Skills & Agent Workflows
safe-file-deletion
6.2k
Enforces explicit user permission before any file deletion.
healthcheck
267.6k
Host security hardening and risk-tolerance configuration for OpenClaw deployments.
1password
267.6k
Set up and use 1Password CLI (op).
feishu-perm
267.6k
Feishu permission management for documents and files.
idapython
5.1k
IDA Pro Python scripting for reverse engineering.
webhook-signature-validator
1.0k
Validate webhook signature validator operations.