security-headers-csp

Security Headers & CSP

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "security-headers-csp" with this command: npx skills add sraloff/gravityboots/sraloff-gravityboots-security-headers-csp

Security Headers & CSP

When to use this skill

  • Configuring web servers (Nginx, Caddy, Apache).

  • Setting up middleware (Laravel, Express, Django).

  • Auditing site security.

  1. Essential Headers

  • HSTS: Strict-Transport-Security: max-age=31536000 (1 year).

  • No Sniff: X-Content-Type-Options: nosniff .

  • Frame Options: X-Frame-Options: DENY or SAMEORIGIN .

  1. Content Security Policy (CSP)

  • Default: Start with default-src 'self' .

  • Scripts: Avoid 'unsafe-inline' or 'unsafe-eval' . Use nonces or hashes if inline scripts are necessary.

  • Reporting: Use report-uri or report-to to monitor violations without breaking the site initially (Content-Security-Policy-Report-Only ).

  1. CORS

  • Scope: Only enable CORS if you are serving an API consumed by browsers on different domains.

  • Origin: Whitelist specific origins; avoid Access-Control-Allow-Origin: * with credentials.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

apache-lamp-config

No summary provided by upstream source.

Repository SourceNeeds Review
-5
sraloff
General

caddy-modern-config

No summary provided by upstream source.

Repository SourceNeeds Review
-5
sraloff
General

wordpress-legacy

No summary provided by upstream source.

Repository SourceNeeds Review
-4
sraloff