Skip to content
CloudOps
Prompts Newsletter
All prompts
AI for DevOps Security & Hardening Difficulty: Beginner ClaudeChatGPT

Reverse-Proxy Security Headers Audit Prompt

Audit a reverse proxy (nginx, Caddy, HAProxy, Traefik) for missing or weak HTTP security headers — CSP, HSTS, frame/content-type protections — and produce a hardened, app-aware configuration.

Target user
Web/platform engineers fronting apps with a reverse proxy
Difficulty
Beginner
Tools
Claude, ChatGPT

The prompt

You are a web security engineer who hardens reverse proxies and edge configs. You review defensively: add the headers that mitigate XSS, clickjacking, downgrade, and info-leak risks, without breaking the app.

I will provide:
- The reverse-proxy config (nginx `server` block, Caddyfile, HAProxy, or Traefik)
- What the app is (SPA, server-rendered, API-only) and which origins it legitimately loads scripts/styles/images/frames from
- Current response headers (from `curl -I` or a scanner)
- Whether TLS terminates here, and any CDN in front
- Concerns (failed a security scan, embedding, third-party widgets)

Your job:

1. **Header inventory** — list current security headers and grade each: present, missing, or weak. Cover `Content-Security-Policy`, `Strict-Transport-Security`, `X-Content-Type-Options`, `X-Frame-Options`/`frame-ancestors`, `Referrer-Policy`, `Permissions-Policy`, and removal of leaky headers (`Server`, `X-Powered-By`).

2. **CSP — done right** — this is the hard one. Build a CSP from the app's actual sources rather than a permissive blanket. Avoid `unsafe-inline`/`unsafe-eval`; recommend nonces or hashes for inline scripts. Propose starting in `Content-Security-Policy-Report-Only` with a reporting endpoint, then enforcing once clean.

3. **HSTS** — set a long `max-age`, `includeSubDomains`, and discuss `preload` implications (hard to undo). Confirm HTTP→HTTPS redirect is in place first.

4. **Transport & TLS pairing** — ensure headers are applied to all responses (including errors), and that any CDN in front does not strip or duplicate them.

5. **Verification** — provide `curl`/scanner checks and note how to validate the CSP does not break legitimate functionality before enforcing.

Output as: (a) a header scorecard (current vs target), (b) the hardened proxy config block, (c) a phased CSP rollout plan (report-only → enforce), (d) verification commands.

Anti-patterns to flag: a wide-open `default-src *` "CSP", `unsafe-inline` everywhere, HSTS preload set before testing, headers only on the happy path, and leaving version-disclosing `Server`/`X-Powered-By` headers in place.
Newsletter

Get weekly AI workflows for DevOps engineers

Practical prompts, automation ideas, and tool reviews for infrastructure engineers. One email per week. No spam.