security-headers
Installation
SKILL.md
Security Headers - Defense Against Multiple Attack Types
Why Security Headers Are Critical
Think of security headers as the walls and moat around your castle. Even if attackers get past the gate (your authentication), the walls (headers) prevent them from moving freely or exfiltrating data.
The Browser Security Model
Modern browsers have built-in security features, but they're opt-in. Without the right headers, browsers allow:
- Your site to be embedded in malicious iframes (clickjacking)
- Scripts from any origin (XSS amplification)
- Insecure HTTP connections (man-in-the-middle attacks)
- MIME type confusion (executing images as scripts)
Security headers tell the browser: "Enable all your security features for my site."
Real-World Consequences of Missing Headers
According to a 2023 security audit of top 10,000 websites by Scott Helme, only 2.8% properly implement all recommended security headers. The remaining 97.2% are vulnerable to attacks that headers would prevent.