agentskills.codes
SE

security-headers

Generated code must be aligned with security headers (e.g. no unsave JS eval). The permissions policy is especially relevant when changing any code related with the `navigator` object.

Install

mkdir -p .claude/skills/security-headers && curl -L -o skill.zip "https://agentskills.codes/api/skills/download/16005" && unzip -o skill.zip -d .claude/skills/security-headers && rm skill.zip

Installs to .claude/skills/security-headers

Activation

This is the description your AI agent reads to decide when to run this skill — the better it matches your request, the more reliably it fires.

Generated code must be aligned with security headers (e.g. no unsave JS eval). The permissions policy is especially relevant when changing any code related with the `navigator` object.
184 chars✓ has a “when” trigger

About this skill

Security headers

Preview

Start local server with production build and applied security headers:

yarn workspace @trezor/suite-web preview

Build & Preview

Build web app and run the preview command:

yarn workspace @trezor/suite-web build:preview

or

root level command:

yarn suite:build:web:preview

Security Headers

Permissions-Policy Rationale (Enabled Directives)

  • usb=(self):
    • packages/connect/src/index-browser.ts (window.navigator.usb.requestDevice(...))
    • packages/transport/src/transports/webusb.browser.ts
  • camera=(self):
    • packages/suite/src/components/suite/modals/ReduxModal/UserContextModal/QrScannerModal/CameraQRReader.tsx (react-zxing camera scanner used for QR input)
  • clipboard-write=(self):
    • packages/dom-utils/src/copyToClipboard.ts (navigator.clipboard.writeText(...))
    • packages/analytics-docs/src/components/AddEventModal/CopyButton.tsx
    • packages/analytics-docs/src/components/EventCard.tsx
  • local-network-access=(self):
    • packages/suite/src/hooks/suite/useLocalNetworkAccessPermission.ts (navigator.permissions.query({ name: 'local-network-access' }))
    • packages/connect-web/src/impl/core-in-suite-desktop.ts (permission state check for websocket connectivity error handling)

clipboard-read is intentionally not enabled because current direct usage is test-only (suite/e2e/tests/wallet/receive.test.ts) rather than Suite Web runtime behavior.

Disabled directives (=()) are intentionally blocked because there is no direct web runtime use at this time.

Direct Code References

  • Header values source: packages/suite-web/constants/webSecurityHeaders.ts
  • Header type constraints: packages/suite-web/types/securityHeaders.ts

MDN references:

Search skills

Search the agent skills registry