security-headers

What problem does it solves? This Skill explains and implements critical security headers that protect your application from common browser-based attacks like clickjacking, XSS amplification, MIME confusion, and SSL stripping. It ensures your browser enforces robust security policies, even if other defenses are bypassed.

Core Features & Use Cases

• Content-Security-Policy (CSP): Controls resource loading, preventing unauthorized scripts and data exfiltration.
• X-Frame-Options: DENY: Stops clickjacking attacks by preventing your site from being embedded in iframes.
• X-Content-Type-Options: nosniff: Prevents MIME confusion, ensuring browsers don't execute images as scripts.
• Strict-Transport-Security (HSTS): Forces HTTPS connections, protecting against SSL stripping (production only).
• Use Case: Automatically apply a dynamic CSP in your middleware.ts to restrict script and connection sources, preventing malicious injected scripts from communicating with attacker-controlled domains.

Quick Start

Example: Check applied security headers

(Headers are automatically applied via middleware.ts)

curl -I http://localhost:3000

Expected headers in response:

X-Frame-Options: DENY

X-Content-Type-Options: nosniff

Content-Security-Policy: default-src 'self'; ...

(HSTS only in production)