Best Practices
Apply Lighthouse-aligned security, HTTPS, CSP, and compatibility fixes when modernizing or auditing a web codebase.
Overview
Best practices is an agent skill most often used in Ship (also Build frontend quality passes) that applies modern web security, compatibility, and code-quality standards from Lighthouse-style audits.
Install
npx skills add https://github.com/addyosmani/web-quality-skills --skill best-practicesWhat is this skill?
- Lighthouse-inspired security section: HTTPS-only assets, avoid protocol-relative URLs, HSTS guidance
- Content Security Policy examples via meta tag and recommended HTTP header form
- Triggered by phrases: apply best practices, security audit, modernize code, code quality review, check vulnerabilities
- Covers browser compatibility and code quality alongside security (web-quality-skills v1.0)
- Concrete do/don’t snippets for mixed content and CSP `default-src` / `script-src` directives
- Metadata version 1.0
- Three named audit themes: security, browser compatibility, code quality
Adoption & trust: 7.6k installs on skills.sh; 2.2k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
Your site still loads HTTP assets, lacks CSP, or hides risky patterns that fail a serious security or quality review.
Who is it for?
Solo builders preparing a web app or marketing site for production who want agent-led hardening without a full manual checklist.
Skip if: Non-web stacks (mobile-native-only, CLI tools with no browser surface) or teams needing formal compliance attestations beyond developer best practices.
When should I use this skill?
User asks to apply best practices, security audit, modernize code, code quality review, or check for vulnerabilities.
What do I get? / Deliverables
Pages and headers move toward HTTPS-only loading, documented CSP, and compatibility fixes aligned with stated audit triggers.
- HTTPS and mixed-content remediations
- CSP meta or header recommendations
- Documented compatibility and quality fixes
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Security and vulnerability checks are canonical in Ship before launch, even when they touch files created during Build. Security subphase covers HTTPS enforcement, CSP, mixed content, and hardening patterns called out in the skill triggers.
Where it fits
Replace `http://` CDN script tags and draft a CSP header before go-live.
Run a code quality review pass triggered by ‘apply best practices’ on marketing pages.
Modernize templates to HTTPS-only asset URLs while refactoring UI.
How it compares
Lighthouse-oriented security and quality patterns—not Smithery MCP wiring or Tailwind UI baseline enforcement.
Common Questions / FAQ
Who is best-practices for?
Solo and indie web developers using coding agents who need structured HTTPS, CSP, and quality modernization guidance.
When should I use best-practices?
In Ship when auditing security before launch; in Build when modernizing templates; whenever the user says apply best practices, security audit, or check for vulnerabilities.
Is best-practices safe to install?
The skill is advisory and may suggest header and markup changes—review the Security Audits panel on this Prism page and test CSP in staging before enforcing in production.
SKILL.md
READMESKILL.md - Best Practices
# Best practices Modern web development standards based on Lighthouse best practices audits. Covers security, browser compatibility, and code quality patterns. ## Security ### HTTPS everywhere **Enforce HTTPS:** ```html <!-- ❌ Mixed content --> <img src="http://example.com/image.jpg"> <script src="http://cdn.example.com/script.js"></script> <!-- ✅ HTTPS only --> <img src="https://example.com/image.jpg"> <script src="https://cdn.example.com/script.js"></script> ``` Avoid protocol-relative URLs (`//example.com/...`) — they're an HTTP-era pattern with no benefit on HTTPS-only sites and hide the actual scheme from reviewers. **HSTS Header:** ``` Strict-Transport-Security: max-age=31536000; includeSubDomains; preload ``` ### Content Security Policy (CSP) ```html <!-- Basic CSP via meta tag --> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://trusted-cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://api.example.com;"> <!-- Better: HTTP header --> ``` **CSP Header (recommended):** ``` Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123' https://trusted.com; style-src 'self' 'nonce-abc123'; img-src 'self' data: https:; connect-src 'self' https://api.example.com; frame-ancestors 'self'; base-uri 'self'; form-action 'self'; ``` **Using nonces for inline scripts:** ```html <script nonce="abc123"> // This inline script is allowed </script> ``` ### Trusted Types (modern DOM-XSS defense) A strict CSP blocks loading untrusted *script files*, but it doesn't stop a string from reaching `innerHTML`, `eval`, or other DOM-XSS sinks. Trusted Types — Baseline across all major browsers since early 2026 — closes that hole by making sinks reject raw strings and accept only typed objects produced by a named policy. ``` Content-Security-Policy: require-trusted-types-for 'script'; trusted-types default; ``` ```javascript // One central policy that does the sanitization const escape = trustedTypes.createPolicy('default', { createHTML: (s) => DOMPurify.sanitize(s, { RETURN_TRUSTED_TYPE: true }) }); // ❌ This now throws TypeError under enforcement element.innerHTML = userInput; // ✅ Goes through the policy element.innerHTML = escape.createHTML(userInput); ``` Roll out with `Content-Security-Policy-Report-Only` first to find every sink usage in your app, then flip to enforcement. Angular has built-in Trusted Types support; React 19+ produces TrustedHTML when Trusted Types are enforced; for everything else, [DOMPurify](https://github.com/cure53/DOMPurify) is the de-facto sanitizer. ### Subresource Integrity (SRI) for third-party scripts Pin every `<script>` and `<link rel="stylesheet">` you load from a CDN you don't control. If the CDN is compromised — as happened to polyfill.io in 2024 — the browser refuses to execute a file whose hash doesn't match. ```html <script src="https://cdn.example.com/lib@1.2.3/dist/lib.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script> ``` `integrity` accepts space-separated hashes; include the next version's hash before rotating to avoid downtime. Generate with `openssl dgst -sha384 -binary file.js | openssl base64 -A`. SRI requires `crossorigin` and an `Access-Control-Allow-Origin` response header from the CDN. ### Security headers ``` # Prevent clickjacking — prefer CSP `frame-ancestors` (above); X-Frame-Options # is the legacy fallback for older browsers. X-Frame-Options: DENY