Security Headers Agent Skill
Security headers — helmet.js, HSTS, X-Frame-Options, Permissions-Policy, referrer control.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Security headers — helmet.js, HSTS, X-Frame-Options, Permissions-Policy, referrer control.
homepage: https://yepapi.com/skills/security-headers
metadata:
tags: [security, headers, helmet, hsts]
---
# Security Headers
## Rules
- Use `helmet` middleware in Express/Fastify — it sets secure defaults for all critical headers
- HSTS: `max-age=31536000; includeSubDomains; preload` — force HTTPS for one year
- `X-Frame-Options: DENY` — prevent clickjacking by blocking iframe embedding
- `X-Content-Type-Options: nosniff` — stop browsers from MIME-sniffing responses
- `Referrer-Policy: strict-origin-when-cross-origin` — limit referrer leakage to third parties
- `Permissions-Policy` — disable camera, microphone, geolocation unless your app actually needs them
- Remove `X-Powered-By` header — don't advertise your framework
\`\`\`ts
// Express with helmet
import helmet from "helmet";
app.use(helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", "data:", "blob:"],
frameAncestors: ["'none'"],
},
},
hsts: { maxAge: 31536000, includeSubDomains: true, preload: true },
}));
\`\`\`
\`\`\`ts
// Next.js headers in next.config.js
const securityHeaders = [
{ key: "Strict-Transport-Security", value: "max-age=31536000; includeSubDomains; preload" },
{ key: "X-Frame-Options", value: "DENY" },
{ key: "X-Content-Type-Options", value: "nosniff" },
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
];
module.exports = {
async headers() {
return [{ source: "/(.*)", headers: securityHeaders }];
},
};
\`\`\`
## Avoid
- Shipping without HSTS — users on HTTP are vulnerable to SSL stripping attacks
- `X-Frame-Options: ALLOW-FROM` — deprecated, use CSP `frame-ancestors` instead
- Permissive Permissions-Policy — don't grant camera/mic access "just in case"
- Forgetting headers in Next.js — Express middleware doesn't apply, configure in `next.config.js`Install
Why Use the Security Headers Skill?
Without this skill, your AI guesses at security headers patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Security Headers skill installed. Your AI knows the context and writes code that fits.
"Add all recommended security headers to my Next.js app via next.config.js"
"Set up helmet.js with HSTS, X-Frame-Options, and Content Security Policy"
"Configure Permissions-Policy to disable camera, microphone, and geolocation"
Works Great With
Security Headers skill — FAQ
It provides rules for helmet.js configuration, HSTS enforcement, X-Frame-Options, Permissions-Policy, and referrer control. Your AI sets up all critical security headers correctly on first pass.
Run `npx skills add YepAPI/skills --skill security-headers` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Next.js doesn't use Express middleware, so helmet.js doesn't apply. Instead, configure security headers in next.config.js using the headers() function. The skill covers both Express/helmet and Next.js patterns.