check-secure-headers
Audits HTTP security headers configuration. Checks CSP, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and cache control headers.
Best use case
check-secure-headers is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Audits HTTP security headers configuration. Checks CSP, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and cache control headers.
Teams using check-secure-headers should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/check-secure-headers/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How check-secure-headers Compares
| Feature / Agent | check-secure-headers | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Audits HTTP security headers configuration. Checks CSP, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and cache control headers.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Secure Headers Audit (A05:2021)
Analyze PHP code for missing or misconfigured HTTP security headers.
## Detection Patterns
### 1. Missing Content-Security-Policy (CSP)
```php
// VULNERABLE: No CSP — allows XSS via inline scripts
class ResponseMiddleware
{
public function handle(Request $request, Response $response): Response
{
// No Content-Security-Policy header
return $response;
}
}
// CORRECT: Strict CSP
$response->headers->set('Content-Security-Policy',
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"
);
```
### 2. Missing X-Frame-Options
```php
// VULNERABLE: Page can be embedded in iframe (clickjacking)
// No X-Frame-Options or frame-ancestors CSP directive
// CORRECT:
$response->headers->set('X-Frame-Options', 'DENY');
// Or for same-origin iframes:
$response->headers->set('X-Frame-Options', 'SAMEORIGIN');
```
### 3. Missing HSTS (HTTP Strict Transport Security)
```php
// VULNERABLE: No HSTS — allows SSL stripping attacks
// User can be downgraded from HTTPS to HTTP
// CORRECT:
$response->headers->set('Strict-Transport-Security',
'max-age=31536000; includeSubDomains; preload'
);
```
### 4. Missing X-Content-Type-Options
```php
// VULNERABLE: Browser may MIME-sniff responses
// A CSS file could be executed as JavaScript
// CORRECT:
$response->headers->set('X-Content-Type-Options', 'nosniff');
```
### 5. Missing Referrer-Policy
```php
// VULNERABLE: Full URL sent as Referer to external sites
// Leaks sensitive URL parameters (tokens, IDs)
// CORRECT:
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
// Or most restrictive:
$response->headers->set('Referrer-Policy', 'no-referrer');
```
### 6. Missing Permissions-Policy
```php
// VULNERABLE: Browser features available by default
// Camera, microphone, geolocation accessible
// CORRECT:
$response->headers->set('Permissions-Policy',
'camera=(), microphone=(), geolocation=(), payment=()'
);
```
### 7. Insecure Cache Headers on Sensitive Pages
```php
// VULNERABLE: Sensitive page cached by browser/proxy
class AccountController
{
public function profile(): Response
{
// No cache control — profile page cached!
return new Response($this->render('profile'));
}
}
// CORRECT: No caching for sensitive pages
$response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate, private');
$response->headers->set('Pragma', 'no-cache');
$response->headers->set('Expires', '0');
```
### 8. Weak CSP Configuration
```php
// VULNERABLE: Overly permissive CSP
$response->headers->set('Content-Security-Policy', "default-src *"); // Allows everything!
// VULNERABLE: unsafe-eval allows XSS
$response->headers->set('Content-Security-Policy',
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" // Defeats CSP purpose
);
```
## Grep Patterns
```bash
# Security headers being set
Grep: "Content-Security-Policy|X-Frame-Options|Strict-Transport-Security" --glob "**/*.php"
Grep: "X-Content-Type-Options|Referrer-Policy|Permissions-Policy" --glob "**/*.php"
# Middleware/response handling
Grep: "class.*Middleware|function handle.*Response" --glob "**/*.php"
Grep: "headers->set\(|header\(" --glob "**/*.php"
# Framework security configs
Grep: "security.*headers|secure.*headers" --glob "**/*.yaml" --glob "**/*.yml"
Grep: "nelmio_security|security_headers" --glob "**/*.yaml"
# Cache headers on sensitive routes
Grep: "Cache-Control|no-store|no-cache" --glob "**/*.php"
# Weak CSP
Grep: "unsafe-eval|unsafe-inline|\*" --glob "**/*.php"
```
## Required Headers Checklist
| Header | Value | Purpose |
|--------|-------|---------|
| `Content-Security-Policy` | `default-src 'self'` | Prevent XSS, data injection |
| `X-Frame-Options` | `DENY` | Prevent clickjacking |
| `Strict-Transport-Security` | `max-age=31536000; includeSubDomains` | Force HTTPS |
| `X-Content-Type-Options` | `nosniff` | Prevent MIME sniffing |
| `Referrer-Policy` | `strict-origin-when-cross-origin` | Control referrer leakage |
| `Permissions-Policy` | `camera=(), microphone=()` | Restrict browser features |
| `Cache-Control` | `no-store` (on sensitive pages) | Prevent caching secrets |
## Severity Classification
| Pattern | Severity |
|---------|----------|
| Missing CSP | 🔴 Critical |
| Missing HSTS | 🔴 Critical |
| unsafe-eval in CSP | 🔴 Critical |
| Missing X-Frame-Options | 🟠 Major |
| Missing X-Content-Type-Options | 🟠 Major |
| Missing Referrer-Policy | 🟡 Minor |
| Missing Permissions-Policy | 🟡 Minor |
## Output Format
```markdown
### Secure Headers: [Description]
**Severity:** 🔴/🟠/🟡
**Location:** `file.php:line` or framework config
**CWE:** CWE-693 (Protection Mechanism Failure)
**OWASP:** A05:2021 — Security Misconfiguration
**Missing/Misconfigured Header:**
`Header-Name: expected-value`
**Risk:**
[What attack this enables]
**Fix:**
```php
$response->headers->set('Header-Name', 'secure-value');
```
```Related Skills
create-health-check
Generates Health Check pattern for PHP 8.4. Creates application-level health endpoints with component checkers (Database, Redis, RabbitMQ), status aggregation, and RFC-compliant JSON response. Includes unit tests.
create-docker-healthcheck
Generates Docker health check scripts for PHP services. Creates PHP-FPM, Nginx, and custom endpoint health checks.
check-xxe
Analyzes PHP code for XML External Entity vulnerabilities. Detects unsafe XML parsers, missing entity protection, LIBXML flags issues, XSLT attacks.
check-version-consistency
Audits version consistency across project files. Checks composer.json, README, CHANGELOG, docs, and configuration files for version number synchronization.
check-type-juggling
Detects PHP type juggling vulnerabilities. Identifies loose comparison with user input, in_array without strict mode, switch statement type coercion, and hash comparison bypasses.
check-timeout-strategy
Audits timeout configuration across HTTP clients, database connections, queue consumers, cache operations, and external service calls. Detects missing or misconfigured timeouts.
check-test-quality
Analyzes PHP test code quality. Checks test structure, assertion quality, test isolation, naming conventions, AAA pattern adherence.
check-ssrf
Analyzes PHP code for SSRF vulnerabilities. Detects unvalidated URLs, internal network access, DNS rebinding, cloud metadata access, URL parsing bypass attempts.
check-sql-injection
Analyzes PHP code for SQL injection vulnerabilities. Detects query concatenation, ORM misuse, raw queries, dynamic identifiers, prepared statement bypasses.
check-serialization
Analyzes PHP code for serialization overhead. Detects inefficient JSON encoding, large object hydration, missing JsonSerializable, circular reference issues.
check-sensitive-data
Analyzes PHP code for sensitive data exposure. Detects plaintext secrets, exposed credentials, PII in logs, insecure storage, hardcoded keys.
check-scalability-readiness
Analyzes PHP code for scalability issues. Detects file-based sessions, in-memory state, hardcoded hostnames, filesystem-dependent state, and missing stateless design patterns.