bztmon-site

jwright/bztmon-site

Fork 0

Commit Graph

Author	SHA1	Message	Date
jwright	74cbf3af26	Add HSTS header at the origin (host-scoped, no includeSubDomains) build-and-deploy / build (push) Failing after 13m53s Details	2026-06-17 19:38:05 +10:00
jwright	c1db5cec86	M4: security pass — strict CSP, header split, build-time scan All JS moved to external /site.js → script-src 'self' with no inline JS, hashes or eval. Full header set via nginx (CSP, nosniff, frame-deny, referrer, permissions, COOP/CORP); HSTS stays at the CF edge. Shared headers include avoids the location add_header reset footgun. Build-time secret/inline-script/third-party scan gate. SECURITY.md documents posture.	2026-06-17 17:12:57 +10:00

Author

SHA1

Message

Date

jwright

74cbf3af26

Add HSTS header at the origin (host-scoped, no includeSubDomains)

build-and-deploy / build (push) Failing after 13m53s

Details

2026-06-17 19:38:05 +10:00

jwright

c1db5cec86

M4: security pass — strict CSP, header split, build-time scan

All JS moved to external /site.js → script-src 'self' with no inline JS,
hashes or eval. Full header set via nginx (CSP, nosniff, frame-deny,
referrer, permissions, COOP/CORP); HSTS stays at the CF edge. Shared
headers include avoids the location add_header reset footgun. Build-time
secret/inline-script/third-party scan gate. SECURITY.md documents posture.

2026-06-17 17:12:57 +10:00

2 Commits