![Security Headers with Claude Code: Helmet, CSP, and HSTS Configuration [20260311_142040]](/_next/image?url=https%3A%2F%2Fmedia2.dev.to%2Fdynamic%2Fimage%2Fwidth%3D1200%2Cheight%3D627%2Cfit%3Dcover%2Cgravity%3Dauto%2Cformat%3Dauto%2Fhttps%253A%252F%252Fdev-to-uploads.s3.amazonaws.com%252Fuploads%252Farticles%252Fjekveq75gcyz92l2ht8n.png&w=1200&q=75)
Security Headers with Claude Code: Helmet, CSP, and HSTS Configuration [20260311_142040]
Security Headers with Claude Code: Helmet, CSP, and HSTS Configuration Default HTTP headers are insecure out of the box. XSS payloads get through because there is no Content Security Policy. Clickjacking works because X-Frame-Options is not set. HTTP traffic is allowed because HSTS is missing. Claude Code generates a hardened Helmet configuration from your CLAUDE.md security policy. What Goes in CLAUDE.md Define your header security requirements once: ## HTTP Security Headers ### Required Headers - **CSP** : inline scripts forbidden; whitelist approach (default-src: none) - **HSTS** : max-age=31536000, includeSubDomains, preload - **X-Frame-Options** : DENY - **X-Content-Type-Options** : nosniff - **Referrer-Policy** : strict-origin-when-cross-origin ### CSP Rules - Whitelist approach: start from `default-src 'none'` , add only what's needed - report-uri: /api/csp-report for violation logging - Dev mode: report-only (violations logged, not blocked) - Localhost: allow ws:// for HMR webs
Continue reading on Dev.to
Opens in a new tab
