nzambello/nzambello.dev
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
nzambello.dev/SECURITY.md
Nicola Zambello 6e6948b4fd
All checks were successful
Docker CI / release (push) Successful in 3m52s
Details
fix: security headers
2025-08-12 15:35:55 +03:00

3.5 KiB
Raw Blame History

Security Implementation

This document outlines the security measures implemented on nzambello.dev.

Security Headers

The following security headers are implemented both at the Astro application level and nginx server level:

1. Content Security Policy (CSP)

  • Purpose: Prevents XSS attacks by controlling which resources can be loaded
  • Configuration:
    • default-src 'self' - Only allow resources from same origin
    • script-src 'self' 'unsafe-inline' 'unsafe-eval' https://umami.nzambello.dev - Allow inline scripts and Umami analytics
    • style-src 'self' 'unsafe-inline' https://unpkg.com - Allow inline styles and PicoCSS from unpkg
    • img-src 'self' data: https: - Allow images from same origin, data URIs, and HTTPS sources
    • font-src 'self' https://unpkg.com - Allow fonts from same origin and unpkg
    • connect-src 'self' https://umami.nzambello.dev - Allow connections to same origin and Umami
    • object-src 'none' - Block all plugins
    • frame-ancestors 'none' - Prevent site from being embedded in iframes

2. HTTP Strict Transport Security (HSTS)

  • Purpose: Forces browsers to use HTTPS only
  • Configuration: max-age=31536000; includeSubDomains; preload
  • Duration: 1 year with subdomain coverage and preload list inclusion

3. X-Content-Type-Options

  • Purpose: Prevents MIME type sniffing attacks
  • Configuration: nosniff

4. X-Frame-Options

  • Purpose: Prevents clickjacking attacks
  • Configuration: DENY (prevents any embedding)

5. Referrer Policy

  • Purpose: Controls referrer information sent to other sites
  • Configuration: strict-origin-when-cross-origin
  • Behavior: Sends full referrer to same origin, only origin to cross-origin, nothing on downgrade

6. X-XSS-Protection

  • Purpose: Additional XSS protection for older browsers
  • Configuration: 1; mode=block

7. Permissions Policy

  • Purpose: Controls browser features and APIs
  • Configuration: camera=(), microphone=(), geolocation=(), payment=()
  • Effect: Blocks access to camera, microphone, geolocation, and payment APIs

Subresource Integrity (SRI)

External Resources with SRI

  • Umami Analytics Script:
    • URL: https://umami.nzambello.dev/script.js
    • Integrity: sha384-gW+82edTiLqRoEvPbT3xKDCYZ5M02YXbW4tA3gbojZWiiMYNJZb4YneJrS4ri3Rn
    • Purpose: Ensures the analytics script hasn't been tampered with

Server Information Hiding

  • Server Tokens: Disabled in nginx configuration
  • X-Powered-By: Removed from response headers
  • Server: Removed from response headers

Testing Security Headers

To test the security headers:

# Run the security test script
npm run test:security

# Or manually check headers
curl -I https://nzambello.dev

Security Best Practices

  1. HTTPS Only: All traffic is served over HTTPS
  2. No External Dependencies: Minimal external dependencies, all with SRI where applicable
  3. Inline Scripts: All inline scripts are necessary for functionality and are allowed in CSP
  4. Regular Updates: Dependencies are regularly updated to patch security vulnerabilities
  5. Content Security: All content is served from trusted sources only

Monitoring

  • Security headers are monitored through the Umami analytics integration
  • Regular security audits are performed using automated tools
  • CSP violations are logged and monitored

Compliance

These security measures help ensure compliance with:

  • OWASP Top 10
  • Web Security Best Practices
  • Modern browser security standards