Ask Claude to Audit Your HTTP Security Headers
HTTP security headers like Content-Security-Policy, Strict-Transport-Security, and Permissions-Policy are easy to overlook until something goes wrong. Claude can audit your current setup and tell you exactly what's missing or misconfigured.
Here's my Express middleware setup. Audit it for security header issues,
tell me what's missing or weakly configured, and suggest what to add:
app.use(helmet());
app.use((req, res, next) => {
res.setHeader('X-Frame-Options', 'DENY');
next();
});
Claude will review what helmet() provides by default, flag headers that are absent or set too loosely, and suggest additions like a Content-Security-Policy tailored to your app's specific needs. It also explains why each header matters and what attacks it prevents — clickjacking, MIME sniffing, cross-origin leaks, and so on.
For Laravel apps, paste your middleware or bootstrap/app.php. For Nginx, paste your server {} block. Claude adapts to your stack.
Generate a strict Content-Security-Policy for a React SPA that:
- Loads assets from a CDN at assets.example.com
- Uses an inline Google Fonts stylesheet
- Makes API calls to api.example.com
Claude will produce a CSP header you can drop straight into your config, with nonce or hash suggestions for any inline scripts.
Security headers are a five-minute fix that prevents a whole class of attacks — let Claude tell you which ones you're missing.
Log in to leave a comment.
Hand Claude your heap snapshots or server code and ask it to trace memory leaks — it spots missing event listener cleanup, unbounded caches, and stream lifecycle bugs that are easy to miss in code review.
Ask Claude to audit your UI components for WCAG accessibility issues — it catches semantic problems, missing ARIA attributes, and keyboard navigation gaps that automated tools miss.
The --debug flag enables verbose logging for Claude Code, and an optional category filter like "api,mcp" lets you narrow output to exactly the subsystem you need to investigate.