jwright/bztmon-site
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1dc9c82cb3eddf77b2ceef78e2a56064ae707988
bztmon-site/SECURITY.md
T
jwright c1db5cec86 M4: security pass — strict CSP, header split, build-time scan 
All JS moved to external /site.js → script-src 'self' with no inline JS,
hashes or eval. Full header set via nginx (CSP, nosniff, frame-deny,
referrer, permissions, COOP/CORP); HSTS stays at the CF edge. Shared
headers include avoids the location add_header reset footgun. Build-time
secret/inline-script/third-party scan gate. SECURITY.md documents posture.
2026-06-17 17:12:57 +10:00

2.8 KiB
Raw Blame History

Security posture

This site is meant to demonstrate the discipline it advertises. Security is treated as acceptance criteria, not polish.

Attack surface

  • Static output — no server runtime, no database, no user input, no forms.
  • Served by nginx-unprivileged (uid 101, read-only root filesystem, all Linux capabilities dropped, no service-account token) on Kubernetes.
  • Exposed outbound-only via a Cloudflare Tunnel — no open inbound ports, a single public hostname, no catch-all.

Headers

Split by where they belong:

Origin (nginx, ships in the image — nginx/security-headers.conf)

Header Value
Content-Security-Policy default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; worker-src 'self'; manifest-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy strict-origin-when-cross-origin
Permissions-Policy camera/mic/geo/payment/usb… all denied
Cross-Origin-Opener-Policy same-origin
Cross-Origin-Resource-Policy same-origin

Edge (Cloudflare dashboard) — HSTS, HTTP→HTTPS redirect, SSL Full, Bot Fight, rate-limiting. HSTS ships without includeSubDomains/preload initially because *.bztmon.com resolves to the WAN and the subdomain form would brick non-public hosts.

CSP notes

  • script-src 'self' with zero inline scripts. All JS (pre-paint theme, toggle, scroll reveal) lives in one external /site.js. No unsafe-inline, no unsafe-eval, no hashes to maintain.
  • style-src allows 'unsafe-inline' — the one conscious exception. Shiki's dual-theme syntax highlighting emits per-token CSS custom-properties as inline style attributes; hashing them is impractical (they vary per page). The security-critical directive (script-src) stays strict. Everything else is self-hosted: fonts are system stacks (zero font requests), no third-party scripts, so SRI is moot.
  • CSP is emitted as a real HTTP header (not <meta>) so frame-ancestors is honoured and header scanners can see it.

Build-time gate

npm run scan (scripts/check-build.sh) fails the build on:

  • secret-like strings in dist/
  • any inline <script> (would break the strict CSP)
  • third-party <script>/<link> origins

Runs in CI before the image is built.

Targets (verified post-deploy)

  • securityheaders.com → A+
  • Mozilla Observatory → A/A+ (small deduction expected for style-src 'unsafe-inline')
  • Lighthouse ≥ 95 across Performance / Accessibility / Best Practices / SEO
  • CSP: zero console violations in a real browser (incl. code blocks + diagrams)

Reporting

Found something? Email the address on the site.

Reference in New Issue View Git Blame Copy Permalink