check-secure-headers
Installation
SKILL.md
Secure Headers Audit (A05:2021)
Analyze PHP code for missing or misconfigured HTTP security headers.
Detection Patterns
1. Missing Content-Security-Policy (CSP)
// VULNERABLE: No CSP — allows XSS via inline scripts
class ResponseMiddleware
{
public function handle(Request $request, Response $response): Response
{
// No Content-Security-Policy header
return $response;
}
}
// CORRECT: Strict CSP
$response->headers->set('Content-Security-Policy',
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"
);
2. Missing X-Frame-Options
// VULNERABLE: Page can be embedded in iframe (clickjacking)
// No X-Frame-Options or frame-ancestors CSP directive
// CORRECT:
$response->headers->set('X-Frame-Options', 'DENY');
// Or for same-origin iframes:
$response->headers->set('X-Frame-Options', 'SAMEORIGIN');
3. Missing HSTS (HTTP Strict Transport Security)
// VULNERABLE: No HSTS — allows SSL stripping attacks
// User can be downgraded from HTTPS to HTTP
// CORRECT:
$response->headers->set('Strict-Transport-Security',
'max-age=31536000; includeSubDomains; preload'
);
4. Missing X-Content-Type-Options
// VULNERABLE: Browser may MIME-sniff responses
// A CSS file could be executed as JavaScript
// CORRECT:
$response->headers->set('X-Content-Type-Options', 'nosniff');
5. Missing Referrer-Policy
// VULNERABLE: Full URL sent as Referer to external sites
// Leaks sensitive URL parameters (tokens, IDs)
// CORRECT:
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
// Or most restrictive:
$response->headers->set('Referrer-Policy', 'no-referrer');
6. Missing Permissions-Policy
// VULNERABLE: Browser features available by default
// Camera, microphone, geolocation accessible
// CORRECT:
$response->headers->set('Permissions-Policy',
'camera=(), microphone=(), geolocation=(), payment=()'
);
7. Insecure Cache Headers on Sensitive Pages
// VULNERABLE: Sensitive page cached by browser/proxy
class AccountController
{
public function profile(): Response
{
// No cache control — profile page cached!
return new Response($this->render('profile'));
}
}
// CORRECT: No caching for sensitive pages
$response->headers->set('Cache-Control', 'no-store, no-cache, must-revalidate, private');
$response->headers->set('Pragma', 'no-cache');
$response->headers->set('Expires', '0');
8. Weak CSP Configuration
// VULNERABLE: Overly permissive CSP
$response->headers->set('Content-Security-Policy', "default-src *"); // Allows everything!
// VULNERABLE: unsafe-eval allows XSS
$response->headers->set('Content-Security-Policy',
"script-src 'self' 'unsafe-eval' 'unsafe-inline'" // Defeats CSP purpose
);
Grep Patterns
# Security headers being set
Grep: "Content-Security-Policy|X-Frame-Options|Strict-Transport-Security" --glob "**/*.php"
Grep: "X-Content-Type-Options|Referrer-Policy|Permissions-Policy" --glob "**/*.php"
# Middleware/response handling
Grep: "class.*Middleware|function handle.*Response" --glob "**/*.php"
Grep: "headers->set\(|header\(" --glob "**/*.php"
# Framework security configs
Grep: "security.*headers|secure.*headers" --glob "**/*.yaml" --glob "**/*.yml"
Grep: "nelmio_security|security_headers" --glob "**/*.yaml"
# Cache headers on sensitive routes
Grep: "Cache-Control|no-store|no-cache" --glob "**/*.php"
# Weak CSP
Grep: "unsafe-eval|unsafe-inline|\*" --glob "**/*.php"
Required Headers Checklist
| Header | Value | Purpose |
|---|---|---|
Content-Security-Policy |
default-src 'self' |
Prevent XSS, data injection |
X-Frame-Options |
DENY |
Prevent clickjacking |
Strict-Transport-Security |
max-age=31536000; includeSubDomains |
Force HTTPS |
X-Content-Type-Options |
nosniff |
Prevent MIME sniffing |
Referrer-Policy |
strict-origin-when-cross-origin |
Control referrer leakage |
Permissions-Policy |
camera=(), microphone=() |
Restrict browser features |
Cache-Control |
no-store (on sensitive pages) |
Prevent caching secrets |
Severity Classification
| Pattern | Severity |
|---|---|
| Missing CSP | 🔴 Critical |
| Missing HSTS | 🔴 Critical |
| unsafe-eval in CSP | 🔴 Critical |
| Missing X-Frame-Options | 🟠 Major |
| Missing X-Content-Type-Options | 🟠 Major |
| Missing Referrer-Policy | 🟡 Minor |
| Missing Permissions-Policy | 🟡 Minor |
Output Format
### Secure Headers: [Description]
**Severity:** 🔴/🟠/🟡
**Location:** `file.php:line` or framework config
**CWE:** CWE-693 (Protection Mechanism Failure)
**OWASP:** A05:2021 — Security Misconfiguration
**Missing/Misconfigured Header:**
`Header-Name: expected-value`
**Risk:**
[What attack this enables]
**Fix:**
```php
$response->headers->set('Header-Name', 'secure-value');
Related skills
More from dykyi-roman/awesome-claude-code
psr-overview-knowledge
PHP Standards Recommendations (PSR) overview knowledge base. Provides comprehensive reference for all accepted PSRs including PSR-1,3,4,6,7,11,12,13,14,15,16,17,18,20. Use for PSR selection decisions and compliance audits.
22detect-code-smells
Detects code smells in PHP codebases. Identifies God Class, Feature Envy, Data Clumps, Long Parameter List, Long Method, Primitive Obsession, Message Chains, Inappropriate Intimacy. Generates actionable reports with refactoring recommendations.
15clean-arch-knowledge
Clean Architecture knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for Clean Architecture and Hexagonal Architecture audits.
15ddd-knowledge
DDD architecture knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for Domain-Driven Design audits.
14testing-knowledge
Testing knowledge base for PHP 8.4 projects. Provides testing pyramid, AAA pattern, naming conventions, isolation principles, DDD testing guidelines, and PHPUnit patterns.
12bug-root-cause-finder
Root cause analysis methods for PHP bugs. Provides 5 Whys technique, fault tree analysis, git bisect guidance, and stack trace parsing.
12