Analyzing Security Headers
Overview
Evaluate HTTP response headers for web applications against OWASP Secure Headers Project recommendations and browser security baselines. Identify missing, misconfigured, or information-leaking headers across both HTTP and HTTPS responses.
Prerequisites
- Target URL or domain name accessible over the network
- Authorization to perform HTTP requests against the target domain
- Network connectivity for both HTTP and HTTPS protocols
- Optional: write access to
${CLAUDE_SKILL_DIR}/security-reports/for persisting results
Instructions
- Accept the target domain. If only a domain name is provided, default to
https://. For batch analysis, accept a newline-separated list. - Fetch response headers using
WebFetchfor both HTTP and HTTPS endpoints. Record the full redirect chain and final destination URL. - Evaluate critical headers -- flag any that are missing or misconfigured:
Strict-Transport-Security: requiremax-age>=31536000,includeSubDomains, and preload eligibilityContent-Security-Policy: check forunsafe-inline,unsafe-eval, overly broaddefault-src, and missingframe-ancestorsX-Frame-Options: requireDENYorSAMEORIGINX-Content-Type-Options: requirenosniffPermissions-Policy: verify camera, microphone, geolocation restrictions
- Evaluate important headers -- report status and recommendations:
Referrer-Policy: recommendstrict-origin-when-cross-originorno-referrerCross-Origin-Embedder-Policy(COEP),Cross-Origin-Opener-Policy(COOP),Cross-Origin-Resource-Policy(CORP)
- Check for information disclosure -- flag
Server,X-Powered-By,X-AspNet-Version, and any header revealing technology stack or version numbers. - Inspect cookie attributes on
Set-Cookieheaders: verifySecure,HttpOnly,SameSite=Lax|Strict, and__Host-/__Secure-prefix usage. - Calculate a security grade: A+ (95-100), A (85-94), B (75-84), C (65-74), D (50-64), F (<50) based on weighted presence and correctness of each header.
- Generate per-header remediation directives with configuration examples for Nginx, Apache, and Cloudflare.
See ${CLAUDE_SKILL_DIR}/references/implementation.md for the five-phase implementation workflow.
Output
- Headers Analysis Report: overall grade, per-header status (present/missing/misconfigured), and risk impact
- Remediation Checklist: prioritized fixes with server configuration snippets
- Cookie Security Assessment: attribute compliance for each
Set-Cookieheader - Comparison Table: side-by-side HTTP vs. HTTPS header differences
Error Handling
| Error | Cause | Solution | |-------|-------|----------| | Failed to connect to domain | DNS resolution failure, firewall block, or domain down | Verify domain spelling and DNS records; test alternate protocols | | SSL certificate verification failed | Expired, self-signed, or mismatched certificate | Note TLS issue in report; indicates HSTS not properly enforced | | Too many redirects | Redirect loop between HTTP and HTTPS | Report the redirect chain and analyze headers at each hop | | HTTP 429 Too Many Requests | Rate limiting by target server | Implement backoff; queue domain for delayed re-analysis | | Headers differ between HTTP and HTTPS | Inconsistent server configuration | Report both sets; highlight critical differences and flag HSTS gap |
Examples
- "Analyze security headers for
https://claudecodeplugins.ioand explain any CSP or HSTS issues." - "Check headers for
example.comon both HTTP and HTTPS and provide an Nginx remediation config." - "Batch-analyze headers for five staging domains and rank them by security grade."
Resources
- OWASP Secure Headers Project: https://owasp.org/www-project-secure-headers/
- MDN Security Headers Guide: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security
- Security Headers Scanner: https://securityheaders.com/
- Content Security Policy Reference: https://content-security-policy.com/
- HSTS Preload Submission: https://hstspreload.org/
${CLAUDE_SKILL_DIR}/references/errors.md-- full error handling reference${CLAUDE_SKILL_DIR}/references/examples.md-- additional usage examples- https://intentsolutions.io