Analyzing Security Headers

Overview

Evaluate HTTP response headers for web applications against OWASP Secure Headers Project recommendations and browser security baselines. Identify missing, misconfigured, or information-leaking headers across both HTTP and HTTPS responses.

Prerequisites

• Target URL or domain name accessible over the network
• Authorization to perform HTTP requests against the target domain
• Network connectivity for both HTTP and HTTPS protocols
• Optional: write access to ${CLAUDE_SKILL_DIR}/security-reports/ for persisting results

Instructions

1. Accept the target domain. If only a domain name is provided, default to https://. For batch analysis, accept a newline-separated list.
2. Fetch response headers using WebFetch for both HTTP and HTTPS endpoints. Record the full redirect chain and final destination URL.
3. Evaluate critical headers -- flag any that are missing or misconfigured:
   • Strict-Transport-Security: require max-age>=31536000, includeSubDomains, and preload eligibility
   • Content-Security-Policy: check for unsafe-inline, unsafe-eval, overly broad default-src, and missing frame-ancestors