Add security headers (CSP, HSTS, X-Frame, etc.) — Windsurf
Missing security headers let attackers frame your site for clickjacking, downgrade HTTPS connections, or inject scripts. Browsers warn users and search engines flag the site.
Fixing this in Windsurf
Codeium agentic AI IDE with Cascade
Windsurf Cascade can walk the entire project and apply multi-file edits in one pass. Paste the prompt below into your Windsurf chat and the fix rolls out across the project in one pass.
Using a different tool? Pick your stack:
The prompt for Windsurf
Copy and paste this into your Windsurf chat exactly as-is.
Using Windsurf Cascade, apply these edits across the project in one pass: Add security headers 1. Add a `_headers` file (Netlify) or hosting-config that sets these headers globally: 2. Content-Security-Policy, Strict-Transport-Security (max-age=31536000; includeSubDomains; preload), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin. 3. Verify with `curl -I` against your deployed URL.
Why this matters
Security headers are small HTTP response headers that tell the browser how to protect your users. They are free to enable and drastically reduce the attack surface for XSS, clickjacking, MIME sniffing, and downgrade attacks. Every major security scanner (Mozilla Observatory, securityheaders.com, Google Security Checkup) runs against them.
Most AI-built apps ship without any custom headers because the scaffold template does not include them and nobody asks. This is the easiest "medium-severity" finding to remediate in a Pantra Security Audit.
Strict-Transport-Security (HSTS) is especially important: once a browser sees it, it refuses to make any non-HTTPS request to your domain for the max-age duration. This blocks SSL-stripping attacks and protects users on hostile networks.
How to use this prompt in Windsurf
- 1. Open your Windsurf project.
- 2. Copy the prompt above with the copy button.
- 3. Paste into the Windsurf chat and send.
- 4. Review the diff, accept the changes, redeploy.
- 5. Verify the fix using the checklist below.
Common mistakes to avoid
- error_outlineSetting a Content-Security-Policy that blocks your own inline scripts, breaking the site.
- error_outlineSetting `X-Frame-Options: DENY` on a page that needs to be embedded (e.g., checkout iframe).
- error_outlineUsing HSTS with `max-age=31536000` on a subdomain that still has HTTP — locks out users.
- error_outlineShipping `Referrer-Policy: no-referrer` everywhere — breaks analytics and affiliate tracking.
- error_outlineAdding CSP in a `<meta>` tag instead of an HTTP header — some directives do not work in meta.
How to verify the fix worked
- check_circleRun https://securityheaders.com/?q=yoursite.com — target grade A.
- check_circleRun https://observatory.mozilla.org/ — target grade B or better.
- check_circle`curl -I https://yoursite.com` — confirm the five headers are present.
- check_circleOpen DevTools → Network → response headers — verify on real pages.
Frequently asked questions
Will adding CSP break my site?expand_more
What is the minimum HSTS value?expand_more
Do security headers affect SEO?expand_more
Want all 34 prompts tailored to your Windsurf site?
Pantra scans your site in 10 seconds, detects the stack, and generates the exact prompts that apply — only the ones you actually need.
Scan my siteRelated Windsurf prompts
Force HTTPS and enable HSTS — Windsurf
Prompt to redirect all HTTP to HTTPS and enable HSTS — non-negotiable for modern sites. Works in any stack.
SecurityMove API keys off the client bundle — Windsurf
Stack-specific prompt to move Supabase service keys, OpenAI keys, Stripe keys, and other secrets out of client code and into server env — for Lovable, Cursor, Bolt, v0, Replit, Windsurf, Claude Code, Base44.
SecurityEnable Supabase Row Level Security on every table — Windsurf
Prompt to enable RLS on every Supabase table and write sane policies — the #1 security fix for Lovable, Cursor, Bolt, v0, Replit, Windsurf, Claude Code, Base44 apps.