Generalfusengine

security-headers

Verify and configure HTTP security headers (CSP, HSTS, CORS, X-Frame-Options, etc). Checks current configuration and generates framework-specific fixes.

Stars: 13
Source: fusengine/agents
Updated: 2026-05-17
Slug: fusengine--agents--security-headers

View on GitHub Raw SKILL.md

// install — copy + paste into any project

mkdir -p .claude/skills && curl -fsSL https://raw.githubusercontent.com/fusengine/agents/HEAD/plugins/security-expert/skills/security-headers/SKILL.md -o .claude/skills/security-headers.md

Drops the SKILL.md into .claude/skills/security-headers.md. Works with Claude Code, Cursor, and any agent that loads SKILL.md files from .claude/skills/.

Security Headers Skill

Overview

Audit and configure HTTP security headers for web applications.

Required Headers

Header	Purpose	Severity if Missing
Content-Security-Policy	Prevent XSS/injection	HIGH
Strict-Transport-Security	Force HTTPS	HIGH
X-Content-Type-Options	Prevent MIME sniffing	MEDIUM
X-Frame-Options	Prevent clickjacking	MEDIUM
Referrer-Policy	Control referrer info	LOW
Permissions-Policy	Control browser features	LOW
X-XSS-Protection	Legacy XSS filter	LOW

Workflow

Detect framework (Next.js, Laravel, Express, etc.)
Check current header configuration
Compare against security best practices
Generate framework-specific configuration
Validate headers are properly set

Detection Points

Framework	Config Location
Next.js	`next.config.js` headers, `middleware.ts`
Laravel	`SecurityHeaders` middleware
Express	`helmet` middleware
Django	`SECURE_*` settings

References