Review and fix Power Pages security headers, CSP, CORS, cookies, and embedding settings.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "manage-headers" skill from askskill: 1. Download https://raw.githubusercontent.com/microsoft/power-platform-skills/main/plugins/power-pages/skills/manage-headers/SKILL.md 2. Save it as ~/.claude/skills/manage-headers/SKILL.md 3. Reload skills and tell me it's ready
Please review the Content Security Policy configuration for my Power Pages site. The browser console shows some scripts and images are being blocked. Identify missing or overly strict directives and provide actionable fix steps.
An analysis of CSP issues, affected resources, recommended policy changes, and concrete remediation steps.
I want to embed my Power Pages page into another site. Check the current frame-related security headers and clickjacking protections, explain why embedding fails, and show me how to safely allow embedding from specific origins.
An explanation of which headers block embedding, plus safe recommendations and setup steps to allow specific origins.
Please audit the CORS and cookie security settings for my Power Pages site. I need to allow a specific frontend domain to access some resources cross-origin while keeping SameSite, Secure, and related cookie settings safe.
A cross-origin risk assessment, allowlist recommendations, and a cookie hardening plan.
Plugin check: Run
node "${CLAUDE_PLUGIN_ROOT}/scripts/check-version.js"— if it outputs a message, show it to the user before proceeding.
Inspect and configure the HTTP security headers for a Power Pages site. Headers are configured as HTTP/* site settings stored in .powerpages-site/site-settings/ YAML files.
Initial request: $ARGUMENTS
.yml file in .powerpages-site/site-settings/. The file name uses - instead of / (e.g., HTTP/X-Frame-Options → http-x-frame-options.sitesetting.yml).HTTP/Strict-Transport-Security — the runtime does not recognize it and the setting has no effect.HTTP/* header emission. Verify headers in an incognito tab, not the studio preview.script-src contains 'nonce', the runtime replaces it per-request with 'nonce-<random>' and auto-hashes inline event handlers. Scripts created dynamically via document.createElement do NOT receive the nonce.SameSite=None requires HTTPS. The runtime sets Secure on every cookie over HTTPS automatically.* is auto-specialized. The runtime replaces * per-request with the specific requesting Origin — the browser sees a single-origin header, not a wildcard.Create tasks in four groups. Mark each in_progress when starting, completed when done.
| Group | When to create | Tasks |
|---|---|---|
| 1 | At start | Check prerequisites |
| 2 | After prerequisites pass | Inspect current headers · Assess and plan (skip "Assess and plan" in review mode) |
| 3 | After user approves changes | Apply changes (skip in review mode OR if no changes were accepted) |
| 4 | After apply or assess | Summarize (always) |
Use Glob to find **/powerpages.config.json. If $ARGUMENTS contains --review <out-dir>, remember the output directory — Steps 3–4 are skipped and Step 5 writes JSON only.
Check that .powerpages-site/site-settings/ exists. If not, the site has not been deployed yet — tell the user and recommend /deploy-site. Stop.
Use Glob to find all *.yml files in .powerpages-site/site-settings/. Use Read to read each file and extract the name and value fields. Identify all settings with an HTTP/ prefix — these are the configured headers.
Compare against the recognized header catalogue in references/headers-reference.md. For each header in the catalogue:
…
Run an end-to-end Power Pages security review with a consolidated HTML report.
Test deployed Power Pages sites with browsing, crawling, and API verification.
Add a data source or connector to a Power Apps code app.
Add Azure DevOps to Power Apps for work items, bugs, pipelines, and API calls.
Add the Excel Online connector to read and write workbook data.
Set up Power Platform Pipelines for automated Power Pages deployments.
Inspect and configure WAF protection for a Power Pages production site.
Add essential SEO settings to Power Pages sites for better visibility and sharing.
Audit Power Pages table permissions and get prioritized security findings with fixes.
Audit websites for performance, SEO, accessibility, security, and mobile readiness.
Run website health audits for security, performance, email setup, and link issues.
Add security scanning, auditing, and vulnerability checks to Claude Code and Cursor.