OpenClaw LaunchOpenClaw Launch
🛡️

Security Headers Check

Verified

by Community

Analyzes HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) with specific configuration recommendations and implementation guides for common web servers.

securityheaderswebHTTPCSPHSTS

Security Headers Check

Audit and configure HTTP security headers for web applications. Analyzes current headers and provides specific configuration recommendations with implementation guides for your web server.

Usage

Provide your website URL or current header configuration. The checker evaluates each security header against best practices and provides specific values to implement with server configuration examples.

Parameters

  • Target: URL to check or current header values
  • Server: Nginx, Apache, Caddy, Express, Next.js, or Cloudflare
  • Level: Basic protection, Recommended, or Maximum security
  • Framework: React, Next.js, Django, Rails, or Static site

Examples

  1. Next.js Application: Complete security headers configuration for next.config.js including CSP with nonces for inline scripts, HSTS with preload, and permissions policy for camera/mic access.
  1. Nginx Server Block: Full security headers configuration for an Nginx reverse proxy, with copy-paste server block additions and explanations for each directive.
  1. CSP Deep Dive: Build a Content Security Policy from scratch for a React SPA that loads Google Analytics, Stripe.js, and CDN fonts — balancing security with functionality.
  1. API Security Headers: Configure headers for a REST API backend — CORS policy, rate limiting headers, and removing server version disclosure.

Guidelines

  • Each header is explained: what attack it prevents and what happens without it
  • Configurations start restrictive and relax only where necessary with documented reasons
  • CSP is built incrementally: start with report-only mode, analyze violations, then enforce
  • HSTS configuration includes preload eligibility requirements and risks of premature enabling
  • X-Frame-Options and frame-ancestors CSP are both addressed for click-jacking prevention
  • Permissions-Policy restricts browser features (camera, mic, geolocation) to necessary origins
  • Server version headers (X-Powered-By, Server) are removed to reduce information leakage
  • Cache-Control headers for sensitive pages prevent browser caching of authenticated content
  • Testing tools are recommended: securityheaders.com, Mozilla Observatory, and curl commands
  • Staging-first deployment is emphasized to avoid breaking production with strict policies

More Security Skills

shield
1Claw

HSM-backed vault for agent secrets; store, rotate, share securely.

shield
1Password

Set up and use 1Password CLI (op).

shield
Auditing Appstore Readiness

Audit an iOS app repo.

shield
Authensor Gateway

Fail-safe policy gate for OpenClaw marketplace skills.