Plugin check: Run node "${CLAUDE_PLUGIN_ROOT}/scripts/check-version.js" — if it outputs a message, show it to the user before proceeding.

Manage Headers

Inspect and configure the HTTP security headers for a Power Pages site. Headers are configured as HTTP/* site settings stored in .powerpages-site/site-settings/ YAML files.

Initial request: $ARGUMENTS

Gotchas

• Site settings are YAML files. Each header is a separate .yml file in .powerpages-site/site-settings/. The file name uses - instead of / (e.g., HTTP/X-Frame-Options → http-x-frame-options.sitesetting.yml).
• Absent = no header. When a site setting is absent, the runtime omits that header entirely (except CSP on new sites — see headers-reference.md).
• HSTS and Cache-Control are platform-managed. Do not try to set HTTP/Strict-Transport-Security — the runtime does not recognize it and the setting has no effect.
• Maker-mode bypasses headers. Requests from Power Pages Studio skip all HTTP/* header emission. Verify headers in an incognito tab, not the studio preview.
• CSP is pass-through. The runtime emits the value verbatim — it does NOT merge runtime sources automatically. The CSP MUST include Power Pages runtime hosts or the site breaks.
• CSP nonce. When script-src contains 'nonce', the runtime replaces it per-request with 'nonce-<random>' and auto-hashes inline event handlers. Scripts created dynamically via document.createElement do NOT receive the nonce.
• SameSite=None requires HTTPS. The runtime sets Secure on every cookie over HTTPS automatically.
• CORS * is auto-specialized. The runtime replaces * per-request with the specific requesting Origin — the browser sees a single-origin header, not a wildcard.

Workflow

1. Prerequisites — Locate project, confirm site-settings directory exists
2. Inspect current headers — Read site-setting YAML files, identify configured and missing headers
3. Assess and plan — Identify gaps, present recommendations
4. Apply changes — Edit existing settings or create new ones
5. Summarize — Present results, record usage, offer follow-ups

Task Tracking

Create tasks in four groups. Mark each in_progress when starting, completed when done.

1. Prerequisites

1.1 Locate the project, detect review mode

Use Glob to find **/powerpages.config.json. If $ARGUMENTS contains --review <out-dir>, remember the output directory — Steps 3–4 are skipped and Step 5 writes JSON only.

1.2 Verify site-settings directory

Check that .powerpages-site/site-settings/ exists. If not, the site has not been deployed yet — tell the user and recommend /deploy-site. Stop.

2. Inspect current headers

Use Glob to find all *.yml files in .powerpages-site/site-settings/. Use Read to read each file and extract the name and value fields. Identify all settings with an HTTP/ prefix — these are the configured headers.

Compare against the recognized header catalogue in references/headers-reference.md. For each header in the catalogue:

• Present — record its current value.
• Missing — record it as absent and note the recommended value from headers-reference.md.

…