AgentSkillsCN

security-headers

验证并配置 HTTP 安全头(CSP、HSTS、CORS、X-Frame-Options 等)。检查当前配置并生成针对特定框架的修复方案。

SKILL.md
--- frontmatter
name: security-headers
description: Verify and configure HTTP security headers (CSP, HSTS, CORS, X-Frame-Options, etc). Checks current configuration and generates framework-specific fixes.
argument-hint: "[framework]"
user-invocable: true

Security Headers Skill

Overview

Audit and configure HTTP security headers for web applications.

Required Headers

HeaderPurposeSeverity if Missing
Content-Security-PolicyPrevent XSS/injectionHIGH
Strict-Transport-SecurityForce HTTPSHIGH
X-Content-Type-OptionsPrevent MIME sniffingMEDIUM
X-Frame-OptionsPrevent clickjackingMEDIUM
Referrer-PolicyControl referrer infoLOW
Permissions-PolicyControl browser featuresLOW
X-XSS-ProtectionLegacy XSS filterLOW

Workflow

  1. Detect framework (Next.js, Laravel, Express, etc.)
  2. Check current header configuration
  3. Compare against security best practices
  4. Generate framework-specific configuration
  5. Validate headers are properly set

Detection Points

FrameworkConfig Location
Next.jsnext.config.js headers, middleware.ts
LaravelSecurityHeaders middleware
Expresshelmet middleware
DjangoSECURE_* settings

References