Complete guide to HTTP security headers for web applications. Each header is described with its purpose, recommended value, common pitfalls, and browser The mos
The Security Headers skill provides a comprehensive reference for configuring HTTP security headers that protect web applications from common vulnerabilities. It covers directives like Content Security Policy (CSP), Strict-Transport-Security (HSTS), and clickjacking protections through frame-ancestors and X-Frame-Options. Each header includes recommended values, potential pitfalls, and rollout strategies to help maintain robust browser security policies.
This skill helps marketers and developers reduce risks such as cross-site scripting (XSS), mixed content issues, and framing attacks by guiding precise header configurations. It also details nonce-based CSP setups for safer inline scripts and incremental CSP deployment via report-only modes, enabling gradual enforcement without disrupting live traffic.
This skill is designed for growth leads overseeing secure web experiences, SEO specialists ensuring site integrity and uptime, and agency strategists managing client applications with strict compliance needs. It suits teams responsible for deploying and maintaining security policies that directly impact site performance, user trust, and search engine rankings. It is particularly useful for those integrating security headers into multi-domain or content-rich environments where misconfiguration can cause breakage or lock out users.
Practitioners start by auditing existing security headers and identifying missing or weak directives, such as absent `object-src 'none'` or overly permissive `script-src` values. Next, they implement a strict starter CSP policy, replacing unsafe wildcards with explicit domains and adding nonces for inline scripts to maintain functionality without compromising security. Following that, they use CSP report-only mode to monitor violations and adjust policies incrementally, reducing the risk of site breakage. Finally, they configure HSTS headers cautiously with staged max-age increases, ensuring all subdomains serve HTTPS before enabling preload lists to avoid user lockout.
How do I safely allow inline scripts without using `'unsafe-inline'`? Use cryptographically random, per-request nonces in the `script-src` directive to authorize inline scripts securely. Can I deploy CSP without breaking my site? Yes, start with `Content-Security-Policy-Report-Only` mode to collect violation reports and fix issues before enforcing. When should I enable HSTS preload? Only after confirming all your domains and subdomains serve valid HTTPS, and after gradually increasing the `max-age` to prevent accidental lockouts.
Attach the Security Headers skill to any Metaflow agent task responsible for web application configuration or audit workflows. Expect it to analyze current HTTP header setups, recommend strict policies, and guide incremental rollout strategies through actionable insights. This skill supports iterative security improvements while minimizing disruption during deployment. For detailed instructions on integrating and tuning header policies within Metaflow, start by...
For broader context, see our roundup of claude skills marketing, and read common Claude Code content mistakes for related setup guidance.