{"id":"bad5dddc-d5a9-45d6-8e74-a9c489fe8184","shortId":"EjsNdS","kind":"skill","title":"security-baseline","tagline":"Establish a security baseline for a website or web app. Use this skill when configuring HTTPS and TLS, setting security headers, planning secrets management, evaluating CSP policies, doing a basic security audit, or hardening a site before launch. Triggers on security headers, HT","description":"# Security Baseline\n\nEstablish the security floor for any production website or web app. Stack-agnostic. Covers the things that should be in place before public launch and verified periodically after.\n\n---\n\n## When to use\n\n- Pre-launch security review\n- Setting up a new site or environment\n- Periodic security audit (quarterly recommended)\n- Onboarding a new vendor or third-party integration\n- Responding to a security finding or report\n- Hardening after an incident\n\n## When NOT to use\n\n- Active incident response (use `incident-response`)\n- Code-level security review (use `code-review-web`)\n- Email-specific authentication (SPF/DKIM/DMARC) (use `email-deliverability`)\n- DNS-level security (CAA, DNSSEC) (use `domain-strategy`)\n- Performance-related security (DDoS protection sizing) (use `performance-optimization`)\n\n---\n\n## Required inputs\n\n- The site or app in scope (URLs, environments)\n- The hosting platform and CDN\n- Authentication method (if any)\n- Third-party scripts and integrations\n- Compliance context (PCI, SOC2, GDPR, etc., if applicable)\n- Existing security tooling\n\n---\n\n## The framework: 6 layers\n\nSecurity is layered. Each layer addresses a different attack surface.\n\n### Layer 1: Transport security\n\nHow data moves from server to client.\n\n- HTTPS everywhere. No HTTP variants serving content.\n- TLS 1.2 minimum, TLS 1.3 preferred. Disable TLS 1.0 and 1.1.\n- HSTS (Strict-Transport-Security) header set, with `includeSubDomains` and `preload` for high-confidence sites.\n- Strong cipher suites only. Modern browsers handle this if you pick a modern config from your provider.\n- Certificates from a trusted CA, monitored for expiration.\n\n### Layer 2: Response headers\n\nWhat the browser is told about your site.\n\n| Header | Purpose | Default value |\n|---|---|---|\n| `Strict-Transport-Security` | Force HTTPS | `max-age=31536000; includeSubDomains` |\n| `Content-Security-Policy` | Restrict resource loading | Site-specific |\n| `X-Content-Type-Options` | Prevent MIME sniffing | `nosniff` |\n| `X-Frame-Options` | Clickjacking protection | `DENY` or `SAMEORIGIN` |\n| `Referrer-Policy` | Control referrer info | `strict-origin-when-cross-origin` |\n| `Permissions-Policy` | Control browser features | Site-specific (camera, mic, etc.) |\n| `Cross-Origin-Opener-Policy` | Process isolation | `same-origin` (where compatible) |\n| `Cross-Origin-Embedder-Policy` | Cross-origin restrictions | `require-corp` (where applicable) |\n\nCSP deserves its own attention. See the framework section below.\n\n### Layer 3: Authentication and authorization\n\nHow users prove who they are and what they can do.\n\n- Strong password requirements (length over complexity rules; allow long passphrases)\n- Account lockout or rate limiting on login\n- 2FA available, required for admin accounts\n- Session tokens: short-lived, secure, HttpOnly cookies\n- Logout invalidates tokens server-side, not just client-side\n- Password reset flows that don't reveal account existence\n- Authorization checked on every request (don't rely on UI hiding)\n\n### Layer 4: Input handling\n\nHow untrusted input is processed.\n\n- Validate on the server (client validation is UX, not security)\n- Parameterized queries for any database access (no string concatenation into SQL)\n- Output encoding by context (HTML, JS, URL, CSS)\n- File upload restrictions (type, size, location, scanning)\n- Rate limiting on endpoints that could be abused\n- CSRF tokens on state-changing requests\n\n### Layer 5: Secrets management\n\nWhere credentials and keys live.\n\n- No secrets in code, config files in repos, or environment variables baked into images\n- Secrets in a dedicated secrets manager\n- Different secrets per environment (no shared dev/prod secrets)\n- Rotation schedule documented and followed\n- Audit log of secret access\n- Limited blast radius (each service has its own credentials, scoped narrowly)\n\n### Layer 6: Operational security\n\nHow the team operates.\n\n- Access controls reviewed quarterly (offboard immediately on departure)\n- 2FA enforced on every admin account (hosting, DNS, registrar, code host, deploy tools)\n- Audit logs enabled and reviewed\n- Vulnerability scanning (dependencies, containers, infrastructure)\n- Patch cadence defined\n- Incident response runbook exists (see `incident-response`)\n- Backups exist and are tested (see `backup-and-disaster-recovery`)\n- Security contact published (security.txt at /.well-known/security.txt)\n\n---\n\n## Content Security Policy\n\nCSP is the most powerful response header and the most often misconfigured. Worth its own treatment.\n\n### What CSP does\n\nCSP tells the browser which sources are allowed for various resource types: scripts, styles, images, frames, connections, etc. A strict CSP prevents most XSS attacks even when input handling has bugs.\n\n### Two flavors\n\n**Strict CSP (recommended):** uses `nonce-` or `hash-` based source allowlists. Inline scripts must be explicitly allowed via nonce.\n\n```\nContent-Security-Policy: script-src 'self' 'nonce-{random}' 'strict-dynamic'; object-src 'none'; base-uri 'self';\n```\n\n**Allowlist CSP (legacy):** lists allowed domains. Easier to set up, much weaker.\n\n```\nContent-Security-Policy: script-src 'self' https://trusted.com; ...\n```\n\nStrict CSP requires application changes (every inline script needs a nonce). The investment pays off.\n\n### Roll out CSP gradually\n\n1. Start with `Content-Security-Policy-Report-Only` to log violations without blocking.\n2. Set up a violation report endpoint.\n3. Watch for legitimate violations (third-party scripts, inline handlers).\n4. Tune the policy.\n5. Switch to enforcing mode once violations are mostly false positives.\n6. Continue monitoring violation reports for new issues.\n\n### Common CSP mistakes\n\n- `unsafe-inline` in script-src. Defeats most of CSP's value.\n- `unsafe-eval` in script-src. Often required by older libraries; refactor or replace.\n- Wildcard sources (`*`). Defeats the policy.\n- Allowing CDNs that host arbitrary user content. Attackers can upload scripts to the CDN.\n- Not restricting `frame-ancestors`. Use this for clickjacking defense (more flexible than `X-Frame-Options`).\n\n---\n\n## Workflow\n\n### Step 1: Run a baseline scan\n\nUse a free scanner: securityheaders.com, observatory.mozilla.org. Get a current grade. This is the floor.\n\n### Step 2: Inventory the surface\n\n- Domains and subdomains in scope\n- Public endpoints (forms, APIs)\n- Authentication entry points\n- Admin interfaces\n- Third-party integrations and their permissions\n\n### Step 3: Audit each layer\n\nWalk the 6 layers. For each, document:\n- What's in place\n- What's missing\n- Risk level (high, medium, low)\n\n### Step 4: Prioritize\n\nHigh risk, easy fixes go first:\n- HSTS not set\n- Default headers missing\n- Admin without 2FA\n- Old TLS versions enabled\n\nMedium risk, medium fixes next:\n- CSP rollout\n- Input validation gaps\n- Secret management improvements\n\nLow risk, nice-to-haves last:\n- Permissions-Policy refinements\n- Optional headers (Cross-Origin-* family)\n\n### Step 5: Implement and verify\n\nFor each fix:\n- Make the change\n- Test in a non-production environment\n- Verify with a scanner\n- Roll out\n- Re-verify in production\n\n### Step 6: Set up monitoring\n\n- Certificate expiration alerts\n- CSP violation reporting\n- Failed login monitoring\n- Unusual admin activity alerts\n- Dependency vulnerability alerts (Dependabot, Snyk, or equivalent)\n\n### Step 7: Document the baseline\n\nWrite a security baseline document. It says what's expected on every site:\n- Required headers\n- Required configurations\n- Required practices\n\nNew sites get audited against this. Existing sites get re-audited periodically.\n\n### Step 8: Schedule review\n\nQuarterly is the floor. Add reviews after major changes or incidents.\n\n---\n\n## Common compliance touchpoints\n\nNot legal advice. Surfaces where security baseline meets compliance requirements:\n\n- **PCI DSS** (if handling payment cards): much more involved than baseline. The baseline is a starting point, not sufficient.\n- **SOC 2:** baseline aligns with most CC controls (CC6 series). Documented baseline plus evidence of execution is the audit ask.\n- **GDPR / privacy regs:** baseline supports security obligations (Article 32). Privacy is broader than security.\n- **HIPAA, HITRUST, FedRAMP:** baseline is necessary, far from sufficient. Get specialized help.\n\nWhen compliance applies, the baseline is necessary but not the full answer.\n\n---\n\n## Failure patterns\n\n**HSTS without `includeSubDomains`.** Attacker tricks browser into HTTP on a subdomain you haven't HTTPS'd yet.\n\n**HSTS preload without commitment.** Once preloaded, removing it takes weeks. Don't preload until HTTPS is solid across all subdomains forever.\n\n**CSP with `unsafe-inline`.** Defeats most of CSP. Either go strict (nonce-based) or accept that CSP is providing limited protection.\n\n**Default headers missing.** `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy` are easy and free. Set them.\n\n**Admin without 2FA.** The single most common high-impact vulnerability across small teams. Fix today.\n\n**Secrets in environment variables baked into images.** Anyone with image access has the secrets. Use a runtime secret manager.\n\n**No security.txt.** Researchers find issues; they need somewhere to report. Publish a security.txt at /.well-known/security.txt.\n\n**Old TLS versions enabled.** Disable TLS 1.0 and 1.1. Most providers offer this as a checkbox.\n\n**CDN allowing arbitrary inline scripts via misconfigured CSP.** The CDN proxies user content; attackers leverage that. Audit the CSP against actual loaded resources.\n\n**No incident response plan.** When (not if) something happens, no runbook = chaos. See `incident-response`.\n\n**Vulnerability scanning without remediation.** Reports pile up. The scan is theater unless someone fixes findings.\n\n**Penetration test ignored.** Pen test report sits on a shelf. Test results without remediation are worse than no test.\n\n---\n\n## Output format\n\nA security baseline document includes:\n\n- **Inventory:** what's in scope\n- **Layer-by-layer status:** what's in place, what's missing\n- **Required headers:** with values, applied per environment\n- **Required configurations:** TLS, secrets, auth\n- **Required operational practices:** access reviews, patch cadence, audit logging\n- **Findings:** prioritized list of gaps\n- **Remediation plan:** owners, dates\n- **Re-audit cadence:** when this is reviewed next\n\n---\n\n## Reference files\n\n- [`references/headers-checklist.md`](references/headers-checklist.md): A copy-paste checklist of recommended security headers with example values, organized by tier of importance.","tags":["security","baseline","claude","skills","rampstackco","agent-skills","anthropic","awesome-claude-code","awesome-claude-prompts","awesome-claude-skills","claude-code","claude-skills"],"capabilities":["skill","source-rampstackco","skill-security-baseline","topic-agent-skills","topic-anthropic","topic-awesome-claude-code","topic-awesome-claude-prompts","topic-awesome-claude-skills","topic-claude","topic-claude-code","topic-claude-skills","topic-good-first-issue","topic-mcp","topic-product-management","topic-seo"],"categories":["claude-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/rampstackco/claude-skills/security-baseline","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add rampstackco/claude-skills","source_repo":"https://github.com/rampstackco/claude-skills","install_from":"skills.sh"}},"qualityScore":"0.540","qualityRationale":"deterministic score 0.54 from registry signals: · indexed on github topic:agent-skills · 181 github stars · SKILL.md body (10,566 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:55:19.654Z","embedding":null,"createdAt":"2026-04-30T01:01:29.741Z","updatedAt":"2026-05-18T18:55:19.654Z","lastSeenAt":"2026-05-18T18:55:19.654Z","tsv":"'/.well-known/security.txt':666,1375 '1':220,801,925 '1.0':245,1382 '1.1':247,1384 '1.2':238 '1.3':241 '2':290,815,945,1185 '2fa':437,616,1011,1328 '3':405,822,971 '31536000':314 '32':1212 '4':483,833,995 '5':543,837,1047 '6':207,601,848,977,1076 '7':1101 '8':1138 'abus':534 'accept':1298 'access':506,588,608,1352,1504 'account':430,442,469,621 'across':1278,1337 'activ':122,1091 'actual':1412 'add':1145 'address':214 'admin':441,620,961,1009,1090,1326 'advic':1157 'age':313 'agnost':62 'alert':1082,1092,1095 'align':1187 'allow':427,696,737,765,892,1393 'allowlist':731,761 'ancestor':910 'answer':1241 'anyon':1349 'api':957 'app':13,59,174 'appli':1232,1493 'applic':201,393,785 'arbitrari':896,1394 'articl':1211 'ask':1203 'attack':217,713,899,1247,1405 'attent':398 'audit':35,95,584,629,972,1127,1135,1202,1408,1508,1521 'auth':1500 'authent':142,184,406,958 'author':408,471 'avail':438 'backup':650,657 'backup-and-disaster-recoveri':656 'bake':562,1346 'base':729,758,1296 'base-uri':757 'baselin':3,7,48,928,1104,1108,1161,1175,1177,1186,1195,1207,1221,1234,1469 'basic':33 'blast':590 'block':814 'broader':1215 'browser':269,295,360,692,1249 'bug':719 'ca':285 'caa':152 'cadenc':640,1507,1522 'camera':365 'card':1170 'cc':1190 'cc6':1192 'cdn':183,905,1392,1401 'cdns':893 'certif':281,1080 'chang':540,786,1056,1149 'chao':1426 'check':472 'checkbox':1391 'checklist':1536 'cipher':265 'clickjack':339,914 'client':229,460,495 'client-sid':459 'code':130,136,554,625 'code-level':129 'code-review-web':135 'commit':1264 'common':856,1152,1332 'compat':379 'complex':425 'complianc':194,1153,1163,1231 'concaten':509 'confid':262 'config':277,555 'configur':18,1121,1497 'connect':705 'contact':662 'contain':637 'content':236,317,328,667,741,774,805,898,1310,1404 'content-security-polici':316,740,773 'content-security-policy-report-on':804 'context':195,515 'continu':849 'control':347,359,609,1191 'cooki':450 'copi':1534 'copy-past':1533 'corp':391 'could':532 'cover':63 'credenti':547,597 'cross':354,369,381,386,1043 'cross-origin':385,1042 'cross-origin-embedder-polici':380 'cross-origin-opener-polici':368 'csp':29,394,670,687,689,709,723,762,783,799,857,869,1021,1083,1282,1290,1300,1399,1410 'csrf':535 'css':519 'current':938 'd':1259 'data':224 'databas':505 'date':1518 'ddos':162 'dedic':568 'default':303,1006,1305 'defeat':866,889,1287 'defens':915 'defin':641 'deliver':147 'deni':341 'departur':615 'depend':636,1093 'dependabot':1096 'deploy':627 'deserv':395 'dev/prod':577 'differ':216,571 'disabl':243,1380 'disast':659 'dns':149,623 'dns-level':148 'dnssec':153 'document':581,981,1102,1109,1194,1470 'domain':156,766,949 'domain-strategi':155 'dss':1166 'dynam':752 'easi':999,1321 'easier':767 'either':1291 'email':140,146 'email-deliver':145 'email-specif':139 'embedd':383 'enabl':631,1015,1379 'encod':513 'endpoint':530,821,955 'enforc':617,840 'entri':959 'environ':92,178,560,574,1063,1344,1495 'equival':1099 'establish':4,49 'etc':199,367,706 'eval':874 'evalu':28 'even':714 'everi':474,619,787,1116 'everywher':231 'evid':1197 'exampl':1542 'execut':1199 'exist':202,470,645,651,1130 'expect':1114 'expir':288,1081 'explicit':736 'fail':1086 'failur':1242 'fals':846 'famili':1045 'far':1224 'featur':361 'fedramp':1220 'file':520,556,1529 'find':111,1364,1445,1510 'first':1002 'fix':1000,1019,1053,1340,1444 'flavor':721 'flexibl':917 'floor':52,943,1144 'flow':464 'follow':583 'forc':309 'forev':1281 'form':956 'format':1466 'frame':337,704,909,921,1315 'frame-ancestor':908 'framework':206,401 'free':932,1323 'full':1240 'gap':1025,1514 'gdpr':198,1204 'get':936,1126,1132,1227 'go':1001,1292 'grade':939 'gradual':800 'handl':270,485,717,1168 'handler':832 'happen':1423 'harden':37,114 'hash':728 'have':1034 'haven':1256 'header':24,45,253,292,301,676,1007,1041,1119,1306,1490,1540 'help':1229 'hide':481 'high':261,991,997,1334 'high-confid':260 'high-impact':1333 'hipaa':1218 'hitrust':1219 'host':180,622,626,895 'hsts':248,1003,1244,1261 'ht':46 'html':516 'http':233,1251 'httpon':449 'https':19,230,310,1258,1275 'ignor':1448 'imag':564,703,1348,1351 'immedi':613 'impact':1335 'implement':1048 'import':1548 'improv':1028 'incid':117,123,127,642,648,1151,1416,1429 'incident-respons':126,647,1428 'includ':1471 'includesubdomain':256,315,1246 'info':349 'infrastructur':638 'inlin':732,788,831,861,1286,1395 'input':170,484,488,716,1023 'integr':106,193,966 'interfac':962 'invalid':452 'inventori':946,1472 'invest':794 'involv':1173 'isol':374 'issu':855,1365 'js':517 'key':549 'last':1035 'launch':41,73,83 'layer':208,211,213,219,289,404,482,542,600,974,978,1478,1480 'layer-by-lay':1477 'legaci':763 'legal':1156 'legitim':825 'length':423 'level':131,150,990 'leverag':1406 'librari':883 'limit':434,528,589,1303 'list':764,1512 'live':447,550 'load':322,1413 'locat':525 'lockout':431 'log':585,630,811,1509 'login':436,1087 'logout':451 'long':428 'low':993,1029 'major':1148 'make':1054 'manag':27,545,570,1027,1360 'max':312 'max-ag':311 'medium':992,1016,1018 'meet':1162 'method':185 'mic':366 'mime':332 'minimum':239 'misconfigur':681,1398 'miss':988,1008,1307,1488 'mistak':858 'mode':841 'modern':268,276 'monitor':286,850,1079,1088 'most':845 'move':225 'much':771,1171 'must':734 'narrowli':599 'necessari':1223,1236 'need':790,1367 'new':89,100,854,1124 'next':1020,1527 'nice':1032 'nice-to-hav':1031 'non':1061 'non-product':1060 'nonc':726,739,748,792,1295 'nonce-bas':1294 'none':756 'nosniff':334 'object':754 'object-src':753 'oblig':1210 'observatory.mozilla.org':935 'offboard':612 'offer':1387 'often':680,879 'old':1012,1376 'older':882 'onboard':98 'open':371 'oper':602,607,1502 'optim':168 'option':330,338,922,1040,1312,1316 'organ':1544 'origin':352,355,370,377,382,387,1044 'output':512,1465 'owner':1517 'parameter':501 'parti':105,190,829,965 'passphras':429 'password':421,462 'past':1535 'patch':639,1506 'pattern':1243 'pay':795 'payment':1169 'pci':196,1165 'pen':1449 'penetr':1446 'per':573,1494 'perform':159,167 'performance-optim':166 'performance-rel':158 'period':76,93,1136 'permiss':357,969,1037 'permissions-polici':356,1036 'pick':274 'pile':1436 'place':70,985,1485 'plan':25,1418,1516 'platform':181 'plus':1196 'point':960,1181 'polici':30,319,346,358,372,384,669,743,776,807,836,891,1038,1319 'posit':847 'power':674 'practic':1123,1503 'pre':82 'pre-launch':81 'prefer':242 'preload':258,1262,1266,1273 'prevent':331,710 'priorit':996,1511 'privaci':1205,1213 'process':373,490 'product':55,1062,1074 'protect':163,340,1304 'prove':411 'provid':280,1302,1386 'proxi':1402 'public':72,954 'publish':663,1371 'purpos':302 'quarter':96,611,1141 'queri':502 'radius':591 'random':749 'rate':433,527 're':1071,1134,1520 're-audit':1133,1519 're-verifi':1070 'recommend':97,724,1538 'recoveri':660 'refactor':884 'refer':1528 'references/headers-checklist.md':1530,1531 'referr':345,348,1318 'referrer-polici':344,1317 'refin':1039 'reg':1206 'registrar':624 'relat':160 'reli':478 'remedi':1434,1459,1515 'remov':1267 'replac':886 'repo':558 'report':113,808,820,852,1085,1370,1435,1451 'request':475,541 'requir':169,390,422,439,784,880,1118,1120,1122,1164,1489,1496,1501 'require-corp':389 'research':1363 'reset':463 'resourc':321,699,1414 'respond':107 'respons':124,128,291,643,649,675,1417,1430 'restrict':320,388,522,907 'result':1457 'reveal':468 'review':85,133,137,610,633,1140,1146,1505,1526 'risk':989,998,1017,1030 'roll':797,1068 'rollout':1022 'rotat':579 'rule':426 'run':926 'runbook':644,1425 'runtim':1358 'same-origin':375 'sameorigin':343 'say':1111 'scan':526,635,929,1432,1439 'scanner':933,1067 'schedul':580,1139 'scope':176,598,953,1476 'script':191,701,733,745,778,789,830,864,877,902,1396 'script-src':744,777,863,876 'secret':26,544,552,565,569,572,578,587,1026,1342,1355,1359,1499 'section':402 'secur':2,6,23,34,44,47,51,84,94,110,132,151,161,203,209,222,252,308,318,448,500,603,661,668,742,775,806,1107,1160,1209,1217,1468,1539 'security-baselin':1 'security.txt':664,1362,1373 'securityheaders.com':934 'see':399,646,655,1427 'self':747,760,780 'seri':1193 'serv':235 'server':227,455,494 'server-sid':454 'servic':593 'session':443 'set':22,86,254,769,816,1005,1077,1324 'share':576 'shelf':1455 'short':446 'short-liv':445 'side':456,461 'singl':1330 'sit':1452 'site':39,90,172,263,300,324,363,1117,1125,1131 'site-specif':323,362 'size':164,524 'skill':16 'skill-security-baseline' 'small':1338 'snif':333 'snyk':1097 'soc':1184 'soc2':197 'solid':1277 'someon':1443 'someth':1422 'somewher':1368 'sourc':694,730,888 'source-rampstackco' 'special':1228 'specif':141,325,364 'spf/dkim/dmarc':143 'sql':511 'src':746,755,779,865,878 'stack':61 'stack-agnost':60 'start':802,1180 'state':539 'state-chang':538 'status':1481 'step':924,944,970,994,1046,1075,1100,1137 'strategi':157 'strict':250,306,351,708,722,751,782,1293 'strict-dynam':750 'strict-origin-when-cross-origin':350 'strict-transport-secur':249,305 'string':508 'strong':264,420 'style':702 'subdomain':951,1254,1280 'suffici':1183,1226 'suit':266 'support':1208 'surfac':218,948,1158 'switch':838 'take':1269 'team':606,1339 'tell':690 'test':654,1057,1447,1450,1456,1464 'theater':1441 'thing':65 'third':104,189,828,964 'third-parti':103,188,827,963 'tier':1546 'tls':21,237,240,244,1013,1377,1381,1498 'today':1341 'token':444,453,536 'told':297 'tool':204,628 'topic-agent-skills' 'topic-anthropic' 'topic-awesome-claude-code' 'topic-awesome-claude-prompts' 'topic-awesome-claude-skills' 'topic-claude' 'topic-claude-code' 'topic-claude-skills' 'topic-good-first-issue' 'topic-mcp' 'topic-product-management' 'topic-seo' 'touchpoint':1154 'transport':221,251,307 'treatment':685 'trick':1248 'trigger':42 'trust':284 'trusted.com':781 'tune':834 'two':720 'type':329,523,700,1311 'ui':480 'unless':1442 'unsaf':860,873,1285 'unsafe-ev':872 'unsafe-inlin':859,1284 'untrust':487 'unusu':1089 'upload':521,901 'uri':759 'url':177,518 'use':14,80,121,125,134,144,154,165,725,911,930,1356 'user':410,897,1403 'ux':498 'valid':491,496,1024 'valu':304,871,1492,1543 'variabl':561,1345 'variant':234 'various':698 'vendor':101 'verifi':75,1050,1064,1072 'version':1014,1378 'via':738,1397 'violat':812,819,826,843,851,1084 'vulner':634,1094,1336,1431 'walk':975 'watch':823 'weaker':772 'web':12,58,138 'websit':10,56 'week':1270 'wildcard':887 'without':813,1010,1245,1263,1327,1433,1458 'workflow':923 'wors':1461 'worth':682 'write':1105 'x':327,336,920,1309,1314 'x-content-type-opt':326,1308 'x-frame-opt':335,919,1313 'xss':712 'yet':1260","prices":[{"id":"8405341b-b0ba-4c35-966f-ece14c12e723","listingId":"bad5dddc-d5a9-45d6-8e74-a9c489fe8184","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"rampstackco","category":"claude-skills","install_from":"skills.sh"},"createdAt":"2026-04-30T01:01:29.741Z"}],"sources":[{"listingId":"bad5dddc-d5a9-45d6-8e74-a9c489fe8184","source":"github","sourceId":"rampstackco/claude-skills/security-baseline","sourceUrl":"https://github.com/rampstackco/claude-skills/tree/main/skills/security-baseline","isPrimary":false,"firstSeenAt":"2026-04-30T01:01:29.741Z","lastSeenAt":"2026-05-18T18:55:19.654Z"}],"details":{"listingId":"bad5dddc-d5a9-45d6-8e74-a9c489fe8184","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"rampstackco","slug":"security-baseline","github":{"repo":"rampstackco/claude-skills","stars":181,"topics":["agent-skills","anthropic","awesome-claude-code","awesome-claude-prompts","awesome-claude-skills","claude","claude-code","claude-skills","good-first-issue","mcp","product-management","seo","show-hn","showcase","showdev","web-design","web-development"],"license":"mit","html_url":"https://github.com/rampstackco/claude-skills","pushed_at":"2026-05-10T22:40:22Z","description":"Stack-agnostic Claude Skills covering the full website lifecycle: brand, design, content, SEO, dev, ops, growth, and research. Build, ship, audit, optimize.","skill_md_sha":"bd3f1ec0789db5d46a7773173ff282e23243b874","skill_md_path":"skills/security-baseline/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/rampstackco/claude-skills/tree/main/skills/security-baseline"},"layout":"multi","source":"github","category":"claude-skills","frontmatter":{"name":"security-baseline","description":"Establish a security baseline for a website or web app. Use this skill when configuring HTTPS and TLS, setting security headers, planning secrets management, evaluating CSP policies, doing a basic security audit, or hardening a site before launch. Triggers on security headers, HTTPS, TLS, CSP, content security policy, HSTS, secrets management, vulnerability scan, security audit, harden, OWASP, security baseline. Also triggers when a security review is required for compliance or before going live."},"skills_sh_url":"https://skills.sh/rampstackco/claude-skills/security-baseline"},"updatedAt":"2026-05-18T18:55:19.654Z"}}