# Security Headers

Use this skill to add baseline browser security headers to HTML responses.

## Acceptance Criteria

- Set `Strict-Transport-Security` on HTTPS sites, for example `max-age=31536000; includeSubDomains; preload`.
- Set `Content-Security-Policy` with a suitable default policy and explicit script, style, image, connect, and frame policies.
- Set `X-Content-Type-Options: nosniff`.
- Set `X-Frame-Options: DENY` or `SAMEORIGIN`, or use CSP `frame-ancestors`.
- Set `Referrer-Policy: strict-origin-when-cross-origin` or a stricter policy when appropriate.

Verify with a fresh scan or with `curl -I https://example.com`.