jwright/bztmon-site
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

M4: security pass — strict CSP, header split, build-time scan

Browse Source 
All JS moved to external /site.js → script-src 'self' with no inline JS,
hashes or eval. Full header set via nginx (CSP, nosniff, frame-deny,
referrer, permissions, COOP/CORP); HSTS stays at the CF edge. Shared
headers include avoids the location add_header reset footgun. Build-time
secret/inline-script/third-party scan gate. SECURITY.md documents posture.
This commit is contained in:
Jonathon Wright
2026-06-17 17:12:57 +10:00
parent cb76a87c36
commit c1db5cec86
9 changed files with 210 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files
package.json
+1
View File
@@ -10,6 +10,7 @@
"build": "astro build",
"preview": "astro preview",
"check": "astro check",
"scan": "bash scripts/check-build.sh dist",
"gen:og": "node scripts/gen-og.mjs",
"astro": "astro"
},