Analyzing Security Headers

Overview

Evaluate HTTP response headers for web applications against OWASP Secure Headers Project recommendations and browser security baselines. Identify missing, misconfigured, or information-leaking headers across both HTTP and HTTPS responses.

Prerequisites

• Target URL or domain name accessible over the network
• Authorization to perform HTTP requests against the target domain
• Network connectivity for both HTTP and HTTPS protocols
• Optional: write access to ${CLAUDE_SKILL_DIR}/security-reports/ for persisting results

Instructions

1. Accept the target domain. If only a domain name is provided, default to https://. For batch analysis, accept a newline-separated list.
2. Fetch response headers using WebFetch for both HTTP and HTTPS endpoints. Record the full redirect chain and final destination URL.
3. Evaluate critical headers -- flag any that are missing or misconfigured:
   • Strict-Transport-Security: require max-age>=31536000, includeSubDomains, and preload eligibility
   • Content-Security-Policy: check for unsafe-inline, unsafe-eval, overly broad default-src, and missing frame-ancestors
   • X-Frame-Options: require DENY or SAMEORIGIN
   • X-Content-Type-Options: require nosniff
   • Permissions-Policy: verify camera, microphone, geolocation restrictions
4. Evaluate important headers -- report status and recommendations:
   • Referrer-Policy: recommend strict-origin-when-cross-origin or no-referrer
   • Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP)
5. Check for information disclosure -- flag Server, X-Powered-By, X-AspNet-Version, and any header revealing technology stack or version numbers.
6. Inspect cookie attributes on Set-Cookie headers: verify Secure, HttpOnly, SameSite=Lax|Strict, and __Host-/__Secure- prefix usage.
7. Calculate a security grade: A+ (95-100), A (85-94), B (75-84), C (65-74), D (50-64), F (<50) based on weighted presence and correctness of each header.
8. Generate per-header remediation directives with configuration examples for Nginx, Apache, and Cloudflare.

See ${CLAUDE_SKILL_DIR}/references/implementation.md for the five-phase implementation workflow.

Output

• Headers Analysis Report: overall grade, per-header status (present/missing/misconfigured), and risk impact
• Remediation Checklist: prioritized fixes with server configuration snippets
• Cookie Security Assessment: attribute compliance for each Set-Cookie header
• Comparison Table: side-by-side HTTP vs. HTTPS header differences

Error Handling

Examples

• "Analyze security headers for https://claudecodeplugins.io and explain any CSP or HSTS issues."
• "Check headers for example.com on both HTTP and HTTPS and provide an Nginx remediation config."
• "Batch-analyze headers for five staging domains and rank them by security grade."

Resources

• OWASP Secure Headers Project: https://owasp.org/www-project-secure-headers/
• MDN Security Headers Guide: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security
• Security Headers Scanner: https://securityheaders.com/
• Content Security Policy Reference: https://content-security-policy.com/
• HSTS Preload Submission: https://hstspreload.org/
• ${CLAUDE_SKILL_DIR}/references/errors.md -- full error handling reference
• ${CLAUDE_SKILL_DIR}/references/examples.md -- additional usage examples
• https://intentsolutions.io