⚠️

重要前提

安装AI Skills的关键前提是：必须科学上网，且开启TUN模式，这一点至关重要，直接决定安装能否顺利完成，在此郑重提醒三遍：科学上网，科学上网，科学上网。查看完整安装教程 →

HTTP安全头部配置指南：HSTS、CSP、X-Frame-Options防御浏览器攻击

security-headers-configuration by secondsky/claude-skills

67 周安装量

90 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/secondsky/claude-skills --skill security-headers-configuration

Node.js Web应用安全

🇨🇳中文介绍

安全头部配置

实施 HTTP 安全头部以防御常见的基于浏览器的攻击。

核心头部

头部	用途	值
HSTS	强制使用 HTTPS	`max-age=31536000; includeSubDomains`
CSP	限制资源加载	`default-src 'self'`
X-Frame-Options	防止点击劫持	`DENY`
X-Content-Type-Options	防止 MIME 类型嗅探	`nosniff`

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

相关 Skills

Azure RBAC 权限管理工具：查找最小角色、创建自定义角色与自动化分配

148,200 周安装

OpenClaw 安全 Linux 云部署指南：私有优先、SSH隧道、Podman容器化

48,800 周安装

Linux云主机安全托管指南：从SSH加固到HTTPS部署

48,600 周安装

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

45,900 周安装

const helmet = require('helmet');

app.use(helmet());

// 自定义 CSP
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "'unsafe-inline'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    imgSrc: ["'self'", "data:", "https:"],
    connectSrc: ["'self'", "https://api.example.com"],
    fontSrc: ["'self'", "https://fonts.gstatic.com"],
    frameAncestors: ["'none'"]
  }
}));

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;

安全头部检查清单

启用 HSTS 并设置较长的 max-age
配置并测试 CSP
将 X-Frame-Options 设置为 DENY
将 X-Content-Type-Options 设置为 nosniff
配置 Referrer-Policy
通过 Permissions-Policy 禁用未使用的功能

查看 references/python-apache.md 以获取：

Python Flask 安全头部中间件
Flask-Talisman 库配置
Apache .htaccess 配置
头部测试脚本

永久将 CSP 设置为仅报告模式
使用过于宽松的策略
更改后忘记测试
未在 HSTS 中包含所有子域名

🇺🇸English

Security Headers Configuration

Implement HTTP security headers to defend against common browser-based attacks.

Essential Headers

Header	Purpose	Value
HSTS	Force HTTPS	`max-age=31536000; includeSubDomains`
CSP	Restrict resources	`default-src 'self'`
X-Frame-Options	Prevent clickjacking	`DENY`
X-Content-Type-Options	Prevent MIME sniffing	`nosniff`

Express Implementation

const helmet = require('helmet');

app.use(helmet());

// Custom CSP
app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'"],
    scriptSrc: ["'self'", "'unsafe-inline'"],
    styleSrc: ["'self'", "'unsafe-inline'"],
    imgSrc: ["'self'", "data:", "https:"],
    connectSrc: ["'self'", "https://api.example.com"],
    fontSrc: ["'self'", "https://fonts.gstatic.com"],
    frameAncestors: ["'none'"]
  }
}));

Nginx Configuration

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;

Verification Tools

Security Headers Checklist

HSTS enabled with long max-age
CSP configured and tested
X-Frame-Options set to DENY
X-Content-Type-Options set to nosniff
Referrer-Policy configured
Permissions-Policy disables unused features

Additional Implementations

See references/python-apache.md for:

Python Flask security headers middleware
Flask-Talisman library configuration
Apache .htaccess configuration
Header testing script

Common Mistakes

Setting CSP to report-only permanently
Using overly permissive policies
Forgetting to test after changes
Not including all subdomains in HSTS

Weekly Installs

Repository

secondsky/claude-skills

GitHub Stars

First Seen

Jan 25, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykWarn

Installed on

claude-code58

gemini-cli54

opencode53

codex52

cursor52

github-copilot49

浏览器自动化策略指南：何时及如何使用实时浏览器会话进行网页调试与研究

45,600 周安装