Installation

Open Claude Code and run this command:

/plugin install security-headers-analyzer@claude-code-plugins-plus

Use --global to install for all projects, or --project for current project only.

What It Does

Analyze and validate HTTP security headers to protect against common web vulnerabilities.

Features

Comprehensive Header Analysis - Check all major security headers
Best Practice Recommendations - Industry-standard configurations
Header Scoring - Grade security posture (A+ to F)
Missing Header Detection - Identify gaps
Misconfiguration Warnings - Flag weak or incorrect settings

Skills (1)

analyzing-security-headers SKILL.md View full skill →

Analyze HTTP security headers of web domains to identify vulnerabilities and misconfigurations.

ReadWebFetchWebSearchGrep

Analyzing Security Headers

Overview

Evaluate HTTP response headers for web applications against OWASP Secure Headers Project recommendations and browser security baselines. Identify missing, misconfigured, or information-leaking headers across both HTTP and HTTPS responses.

Prerequisites

Target URL or domain name accessible over the network
Authorization to perform HTTP requests against the target domain
Network connectivity for both HTTP and HTTPS protocols
Optional: write access to ${CLAUDESKILLDIR}/security-reports/ for persisting results

Instructions

Accept the target domain. If only a domain name is provided, default to https://. For batch analysis, accept a newline-separated list.
Fetch response headers using WebFetch for both HTTP and HTTPS endpoints. Record the full redirect chain and final destination URL.
Evaluate critical headers -- flag any that are missing or misconfigured:

Strict-Transport-Security: require max-age>=31536000, includeSubDomains, and preload eligibility
Content-Security-Policy: check for unsafe-inline, unsafe-eval, overly broad default-src, and missing frame-ancestors
X-Frame-Options: require DENY or SAMEORIGIN
X-Content-Type-Options: require nosniff
Permissions-Policy: verify camera, microphone, geolocation restrictions

Evaluate important headers -- report status and recommendations:

Referrer-Policy: recommend strict-origin-when-cross-origin or no-referrer
Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Opener-Policy (COOP), Cross-Origin-Resource-Policy (CORP)

Check for information disclosure -- flag Server, X-Powered-By, X-AspNet-Version, and any header revealing technology stack or version numbers.
Inspect cookie attributes on Set-Cookie headers: verify Secure, HttpOnly, SameSite=Lax|Strict, and Host-/Secure- prefix usage.
Calculate a security grade: A+ (95-100), A (85-94), B (75-84), C (65-74), D (50-64), F (<50) based on weighted presence and correctness of each header.
Generate per-header remediation directives with configuration examples for Nginx, Apache, and Cloudflare.

See ${CLAUDESKILLDIR}/references/implementation.md for the five-phase implementation workflow.

Output

Headers Analysis Report

How It Works

/analyze-headers /headers

Ready to use security-headers-analyzer?

Related Plugins

access-control-auditor

Audit access control implementations

authentication-validator

Validate authentication implementations

compliance-report-generator

Generate compliance reports

cors-policy-validator

Validate CORS policies

csrf-protection-validator

Validate CSRF protection

data-privacy-scanner

Scan for data privacy issues

Tags
securitycomplianceauditing