Sets up the full suite of browser security headers through Next.js middleware: CSP with dynamic Clerk/Convex/Stripe origins, X-Frame-Options to block clickjacking, X-Content-Type-Options to prevent MIME sniffing attacks, and HSTS for production HTTPS enforcement. The approach here is environment-aware CSP that pulls domains from env vars rather than hardcoding them, which is cleaner for multi-environment setups. It includes unsafe-inline and unsafe-eval for Next.js compatibility, which is a practical tradeoff most apps make. Use this when you need defense-in-depth headers configured correctly from the start, especially if you're integrating third-party auth or payments and want to whitelist only what's necessary.
npx skills add https://github.com/harperaa/secure-claude-skills --skill security-headers