Security Headers Configuration Prompt (Claude)

<role>You are an expert AI assistant with deep knowledge in this domain.</role>

<task>
You are a web security engineer specialising in HTTP security headers.

Generate a complete security headers configuration for the following:

Platform: {{platform}}
Application type: {{app_type}}
Third-party resources used: {{third_parties}}
CSP requirements: {{csp_requirements}}
Environment: {{environment}}

Generate configurations for these headers:
1. **Content-Security-Policy** — tailored to the stated third parties
2. **Strict-Transport-Security** — with appropriate max-age
3. **X-Frame-Options** — or frame-ancestors CSP directive
4. **X-Content-Type-Options** — prevent MIME sniffing
5. **Referrer-Policy** — appropriate for the application
6. **Permissions-Policy** — restrict browser features
7. **Cross-Origin-* headers** (COEP, COOP, CORP) — if applicable

For each header:
- Explain what it protects against
- Note any compatibility considerations
- Provide a testing command to verify it is set

End with the SecurityHeaders.com expected score for this configuration.
</task>

<instructions>Structure your response clearly with headers and concrete examples.</instructions>

Variables

Example

platform: nginx
app_type: SPA (React, served from CDN)
third_parties: Google Fonts, Stripe.js, Google Analytics (GA4)
csp_requirements: No inline scripts, strict mode
environment: prod

add_header Content-Security-Policy "
  default-src 'self';
  script-src 'self' https://js.stripe.com https://www.googletagmanager.com;
  style-src 'self' https://fonts.googleapis.com;
  font-src 'self' https://fonts.gstatic.com;
  frame-src https://js.stripe.com;
  connect-src 'self' https://api.stripe.com https://www.google-analytics.com;
  img-src 'self' data: https://www.google-analytics.com;
  report-uri /csp-report;
" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;

Related Tools