mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-04-03 15:43:31 +08:00
1.6 KiB
1.6 KiB
This file extends common/security.md with web-specific security content.
Web Security Rules
Content Security Policy
Always configure a production CSP.
Nonce-Based CSP
Use a per-request nonce for scripts instead of 'unsafe-inline'.
Content-Security-Policy:
default-src 'self';
script-src 'self' 'nonce-{RANDOM}' https://cdn.jsdelivr.net;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
img-src 'self' data: https:;
font-src 'self' https://fonts.gstatic.com;
connect-src 'self' https://*.example.com;
frame-src 'none';
object-src 'none';
base-uri 'self';
Adjust origins to the project. Do not cargo-cult this block unchanged.
XSS Prevention
- Never inject unsanitized HTML
- Avoid
innerHTML/dangerouslySetInnerHTMLunless sanitized first - Escape dynamic template values
- Sanitize user HTML with a vetted local sanitizer when absolutely necessary
Third-Party Scripts
- Load asynchronously
- Use SRI when serving from a CDN
- Audit quarterly
- Prefer self-hosting for critical dependencies when practical
HTTPS and Headers
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Forms
- CSRF protection on state-changing forms
- Rate limiting on submission endpoints
- Validate client and server side
- Prefer honeypots or light anti-abuse controls over heavy-handed CAPTCHA defaults