nzambello.dev/SECURITY.md

# Security Implementation

This document outlines the security measures implemented on nzambello.dev.

## Security Headers

The following security headers are implemented both at the Astro application level and nginx server level:

### 1. Content Security Policy (CSP)

- **Purpose**: Prevents XSS attacks by controlling which resources can be loaded
- **Configuration**:
  - `default-src 'self'` - Only allow resources from same origin
  - `script-src 'self' 'unsafe-inline' 'unsafe-eval' https://umami.nzambello.dev` - Allow inline scripts and Umami analytics
  - `style-src 'self' 'unsafe-inline' https://unpkg.com` - Allow inline styles and PicoCSS from unpkg
  - `img-src 'self' data: https:` - Allow images from same origin, data URIs, and HTTPS sources
  - `font-src 'self' https://unpkg.com` - Allow fonts from same origin and unpkg
  - `connect-src 'self' https://umami.nzambello.dev` - Allow connections to same origin and Umami
  - `object-src 'none'` - Block all plugins
  - `frame-ancestors 'none'` - Prevent site from being embedded in iframes

### 2. HTTP Strict Transport Security (HSTS)

- **Purpose**: Forces browsers to use HTTPS only
- **Configuration**: `max-age=31536000; includeSubDomains; preload`
- **Duration**: 1 year with subdomain coverage and preload list inclusion

### 3. X-Content-Type-Options

- **Purpose**: Prevents MIME type sniffing attacks
- **Configuration**: `nosniff`

### 4. X-Frame-Options

- **Purpose**: Prevents clickjacking attacks
- **Configuration**: `DENY` (prevents any embedding)

### 5. Referrer Policy

- **Purpose**: Controls referrer information sent to other sites
- **Configuration**: `strict-origin-when-cross-origin`
- **Behavior**: Sends full referrer to same origin, only origin to cross-origin, nothing on downgrade

### 6. X-XSS-Protection

- **Purpose**: Additional XSS protection for older browsers
- **Configuration**: `1; mode=block`

### 7. Permissions Policy

- **Purpose**: Controls browser features and APIs
- **Configuration**: `camera=(), microphone=(), geolocation=(), payment=()`
- **Effect**: Blocks access to camera, microphone, geolocation, and payment APIs

## Subresource Integrity (SRI)

### External Resources with SRI

- **Umami Analytics Script**:
  - URL: `https://umami.nzambello.dev/script.js`
  - Integrity: `sha384-gW+82edTiLqRoEvPbT3xKDCYZ5M02YXbW4tA3gbojZWiiMYNJZb4YneJrS4ri3Rn`
  - Purpose: Ensures the analytics script hasn't been tampered with

## Server Information Hiding

- **Server Tokens**: Disabled in nginx configuration
- **X-Powered-By**: Removed from response headers
- **Server**: Removed from response headers

## Testing Security Headers

To test the security headers:

```bash
# Run the security test script
npm run test:security

# Or manually check headers
curl -I https://nzambello.dev
```

## Security Best Practices

1. **HTTPS Only**: All traffic is served over HTTPS
2. **No External Dependencies**: Minimal external dependencies, all with SRI where applicable
3. **Inline Scripts**: All inline scripts are necessary for functionality and are allowed in CSP
4. **Regular Updates**: Dependencies are regularly updated to patch security vulnerabilities
5. **Content Security**: All content is served from trusted sources only

## Monitoring

- Security headers are monitored through the Umami analytics integration
- Regular security audits are performed using automated tools
- CSP violations are logged and monitored

## Compliance

These security measures help ensure compliance with:

- OWASP Top 10
- Web Security Best Practices
- Modern browser security standards
fix: security headers 2025-08-12 14:35:55 +02:00			`# Security Implementation`

			`This document outlines the security measures implemented on nzambello.dev.`

			`## Security Headers`

			`The following security headers are implemented both at the Astro application level and nginx server level:`

			`### 1. Content Security Policy (CSP)`

			`- Purpose: Prevents XSS attacks by controlling which resources can be loaded`
			`- Configuration:`
			- `default-src 'self'` - Only allow resources from same origin
			- `script-src 'self' 'unsafe-inline' 'unsafe-eval' https://umami.nzambello.dev` - Allow inline scripts and Umami analytics
			- `style-src 'self' 'unsafe-inline' https://unpkg.com` - Allow inline styles and PicoCSS from unpkg
			- `img-src 'self' data: https:` - Allow images from same origin, data URIs, and HTTPS sources
			- `font-src 'self' https://unpkg.com` - Allow fonts from same origin and unpkg
			- `connect-src 'self' https://umami.nzambello.dev` - Allow connections to same origin and Umami
			- `object-src 'none'` - Block all plugins
			- `frame-ancestors 'none'` - Prevent site from being embedded in iframes

			`### 2. HTTP Strict Transport Security (HSTS)`

			`- Purpose: Forces browsers to use HTTPS only`
			- Configuration: `max-age=31536000; includeSubDomains; preload`
			`- Duration: 1 year with subdomain coverage and preload list inclusion`

			`### 3. X-Content-Type-Options`

			`- Purpose: Prevents MIME type sniffing attacks`
			- Configuration: `nosniff`

			`### 4. X-Frame-Options`

			`- Purpose: Prevents clickjacking attacks`
			- Configuration: `DENY` (prevents any embedding)

			`### 5. Referrer Policy`

			`- Purpose: Controls referrer information sent to other sites`
			- Configuration: `strict-origin-when-cross-origin`
			`- Behavior: Sends full referrer to same origin, only origin to cross-origin, nothing on downgrade`

			`### 6. X-XSS-Protection`

			`- Purpose: Additional XSS protection for older browsers`
			- Configuration: `1; mode=block`

			`### 7. Permissions Policy`

			`- Purpose: Controls browser features and APIs`
			- Configuration: `camera=(), microphone=(), geolocation=(), payment=()`
			`- Effect: Blocks access to camera, microphone, geolocation, and payment APIs`

			`## Subresource Integrity (SRI)`

			`### External Resources with SRI`

			`- Umami Analytics Script:`
			- URL: `https://umami.nzambello.dev/script.js`
			- Integrity: `sha384-gW+82edTiLqRoEvPbT3xKDCYZ5M02YXbW4tA3gbojZWiiMYNJZb4YneJrS4ri3Rn`
			`- Purpose: Ensures the analytics script hasn't been tampered with`

			`## Server Information Hiding`

			`- Server Tokens: Disabled in nginx configuration`
			`- X-Powered-By: Removed from response headers`
			`- Server: Removed from response headers`

			`## Testing Security Headers`

			`To test the security headers:`

			```bash
			`# Run the security test script`
			`npm run test:security`

			`# Or manually check headers`
			`curl -I https://nzambello.dev`
			```

			`## Security Best Practices`

			`1. HTTPS Only: All traffic is served over HTTPS`
			`2. No External Dependencies: Minimal external dependencies, all with SRI where applicable`
			`3. Inline Scripts: All inline scripts are necessary for functionality and are allowed in CSP`
			`4. Regular Updates: Dependencies are regularly updated to patch security vulnerabilities`
			`5. Content Security: All content is served from trusted sources only`

			`## Monitoring`

			`- Security headers are monitored through the Umami analytics integration`
			`- Regular security audits are performed using automated tools`
			`- CSP violations are logged and monitored`

			`## Compliance`

			`These security measures help ensure compliance with:`

			`- OWASP Top 10`
			`- Web Security Best Practices`
			`- Modern browser security standards`