security-headers-configuration▌
aj-geddes/useful-ai-prompts · updated Apr 8, 2026
Implement comprehensive HTTP security headers to protect web applications from XSS, clickjacking, MIME sniffing, and other browser-based attacks.
Security Headers Configuration
Table of Contents
Overview
Implement comprehensive HTTP security headers to protect web applications from XSS, clickjacking, MIME sniffing, and other browser-based attacks.
When to Use
- New web application deployment
- Security audit remediation
- Compliance requirements
- Browser security hardening
- API security
- Static site protection
Quick Start
Minimal working example:
// security-headers.js
const helmet = require("helmet");
function configureSecurityHeaders(app) {
// Comprehensive Helmet configuration
app.use(
helmet({
// Content Security Policy
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: [
"'self'",
"'unsafe-inline'", // Remove in production
"https://cdn.example.com",
"https://www.google-analytics.com",
],
styleSrc: [
"'self'",
"'unsafe-inline'",
"https://fonts.googleapis.com",
],
fontSrc: ["'self'", "https://fonts.gstatic.com"],
imgSrc: ["'self'", "data:", "https:", "blob:"],
connectSrc: ["'self'", "https://api.example.com"],
// ... (see reference guides for full implementation)
Reference Guides
Detailed implementations in the references/ directory:
| Guide | Contents |
|---|---|
| Node.js/Express Security Headers | Node.js/Express Security Headers |
| Nginx Security Headers Configuration | Nginx Security Headers Configuration |
| Python Flask Security Headers | Python Flask Security Headers |
| Apache .htaccess Configuration | Apache .htaccess Configuration |
| Security Headers Testing Script | Security Headers Testing Script |
Best Practices
✅ DO
- Use HTTPS everywhere
- Implement strict CSP
- Enable HSTS with preload
- Block framing with X-Frame-Options
- Prevent MIME sniffing
- Report CSP violations
- Test headers regularly
- Use security scanners
❌ DON'T
- Allow unsafe-inline in CSP
- Skip HSTS on subdomains
- Ignore CSP violations
- Use overly permissive policies
- Forget to test changes
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.6★★★★★65 reviews- ★★★★★Kaira Harris· Dec 20, 2024
Solid pick for teams standardizing on skills: security-headers-configuration is focused, and the summary matches what you get after install.
- ★★★★★Kaira Garcia· Dec 16, 2024
security-headers-configuration is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Mateo Bansal· Dec 16, 2024
Useful defaults in security-headers-configuration — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Dhruvi Jain· Dec 12, 2024
Solid pick for teams standardizing on skills: security-headers-configuration is focused, and the summary matches what you get after install.
- ★★★★★Aarav Farah· Dec 8, 2024
I recommend security-headers-configuration for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Aarav Liu· Nov 27, 2024
security-headers-configuration reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Arjun Choi· Nov 27, 2024
Keeps context tight: security-headers-configuration is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Aarav Zhang· Nov 11, 2024
We added security-headers-configuration from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Noor Lopez· Nov 7, 2024
Registry listing for security-headers-configuration matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Oshnikdeep· Nov 3, 2024
We added security-headers-configuration from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 65