Analyzing Security Headers

What it does

This skill analyzes HTTP response headers to identify potential security vulnerabilities. It examines common header directives like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options to determine if they are present and configured securely. The skill provides a report detailing the findings, highlighting areas of concern or best practice improvements.

When to use it

• Auditing web application security: Assess the security posture of a website by examining its HTTP response headers.
• Troubleshooting security misconfigurations: Diagnose why a website might be vulnerable to attacks like XSS or clickjacking.
• Validating security header implementations: Confirm that security headers have been implemented correctly according to best practices and organizational policies.
• Security hardening during development: Ensure newly deployed features include appropriate security headers from the start.

Key capabilities

• Analyzes HTTP response headers
• Identifies common security-related header directives
• Reports on header presence and configuration
• Highlights potential vulnerabilities based on header settings

Example prompts

• "Analyze the security headers for https://example.com."
• "What are the Content Security Policy headers being used by https://www.example.org?"
• "Check if https://testsite.net has a Strict-Transport-Security header enabled and what its value is."

Tips & gotchas

The skill relies on accurate HTTP responses; ensure you are testing against the intended target URL and that any redirects are properly followed. Understanding the implications of different security headers requires some familiarity with web application security principles.