zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-04-03 23:53:29 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
be0c56957b5a61071be032b6221995f8fd8eb14a
everything-claude-code/rules/web/security.md
Affaan Mustafa 31c9f7c33e feat: add web frontend rules and design quality hook
2026-04-02 17:33:17 -07:00

1.6 KiB
Raw Blame History

This file extends common/security.md with web-specific security content.

Web Security Rules

Content Security Policy

Always configure a production CSP.

Nonce-Based CSP

Use a per-request nonce for scripts instead of 'unsafe-inline'.

Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-{RANDOM}' https://cdn.jsdelivr.net;
  style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
  img-src 'self' data: https:;
  font-src 'self' https://fonts.gstatic.com;
  connect-src 'self' https://*.example.com;
  frame-src 'none';
  object-src 'none';
  base-uri 'self';

Adjust origins to the project. Do not cargo-cult this block unchanged.

XSS Prevention

  • Never inject unsanitized HTML
  • Avoid innerHTML / dangerouslySetInnerHTML unless sanitized first
  • Escape dynamic template values
  • Sanitize user HTML with a vetted local sanitizer when absolutely necessary

Third-Party Scripts

  • Load asynchronously
  • Use SRI when serving from a CDN
  • Audit quarterly
  • Prefer self-hosting for critical dependencies when practical

HTTPS and Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

Forms

  • CSRF protection on state-changing forms
  • Rate limiting on submission endpoints
  • Validate client and server side
  • Prefer honeypots or light anti-abuse controls over heavy-handed CAPTCHA defaults
Reference in New Issue View Git Blame Copy Permalink