mirror of
https://github.com/kjanat/livedash-node.git
synced 2026-01-16 15:12:09 +01:00
style: formatted the docs with prettier
This commit is contained in:
@ -12,33 +12,33 @@ The application implements multiple layers of HTTP security headers to provide d
|
||||
|
||||
#### X-Content-Type-Options: nosniff
|
||||
|
||||
- **Purpose**: Prevents MIME type sniffing attacks
|
||||
- **Protection**: Stops browsers from interpreting files as different MIME types than declared
|
||||
- **Value**: `nosniff`
|
||||
- **Purpose**: Prevents MIME type sniffing attacks
|
||||
- **Protection**: Stops browsers from interpreting files as different MIME types than declared
|
||||
- **Value**: `nosniff`
|
||||
|
||||
#### X-Frame-Options: DENY
|
||||
|
||||
- **Purpose**: Prevents clickjacking attacks
|
||||
- **Protection**: Blocks embedding the site in frames/iframes
|
||||
- **Value**: `DENY`
|
||||
- **Purpose**: Prevents clickjacking attacks
|
||||
- **Protection**: Blocks embedding the site in frames/iframes
|
||||
- **Value**: `DENY`
|
||||
|
||||
#### X-XSS-Protection: 1; mode=block
|
||||
|
||||
- **Purpose**: Enables XSS protection in legacy browsers
|
||||
- **Protection**: Activates built-in XSS filtering (primarily for older browsers)
|
||||
- **Value**: `1; mode=block`
|
||||
- **Purpose**: Enables XSS protection in legacy browsers
|
||||
- **Protection**: Activates built-in XSS filtering (primarily for older browsers)
|
||||
- **Value**: `1; mode=block`
|
||||
|
||||
#### Referrer-Policy: strict-origin-when-cross-origin
|
||||
|
||||
- **Purpose**: Controls referrer information leakage
|
||||
- **Protection**: Limits referrer data sent to external sites
|
||||
- **Value**: `strict-origin-when-cross-origin`
|
||||
- **Purpose**: Controls referrer information leakage
|
||||
- **Protection**: Limits referrer data sent to external sites
|
||||
- **Value**: `strict-origin-when-cross-origin`
|
||||
|
||||
#### X-DNS-Prefetch-Control: off
|
||||
|
||||
- **Purpose**: Prevents DNS rebinding attacks
|
||||
- **Protection**: Disables DNS prefetching to reduce attack surface
|
||||
- **Value**: `off`
|
||||
- **Purpose**: Prevents DNS rebinding attacks
|
||||
- **Protection**: Disables DNS prefetching to reduce attack surface
|
||||
- **Value**: `off`
|
||||
|
||||
### Content Security Policy (CSP)
|
||||
|
||||
@ -50,13 +50,13 @@ Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'un
|
||||
|
||||
#### Key CSP Directives
|
||||
|
||||
- **default-src 'self'**: Restrictive default for all resource types
|
||||
- **script-src 'self' 'unsafe-eval' 'unsafe-inline'**: Allows Next.js dev tools and React functionality
|
||||
- **style-src 'self' 'unsafe-inline'**: Enables TailwindCSS and component styles
|
||||
- **img-src 'self' data: https:**: Allows secure image sources
|
||||
- **frame-ancestors 'none'**: Prevents embedding (reinforces X-Frame-Options)
|
||||
- **object-src 'none'**: Blocks dangerous plugins and embeds
|
||||
- **upgrade-insecure-requests**: Automatically upgrades HTTP to HTTPS
|
||||
- **default-src 'self'**: Restrictive default for all resource types
|
||||
- **script-src 'self' 'unsafe-eval' 'unsafe-inline'**: Allows Next.js dev tools and React functionality
|
||||
- **style-src 'self' 'unsafe-inline'**: Enables TailwindCSS and component styles
|
||||
- **img-src 'self' data: https:**: Allows secure image sources
|
||||
- **frame-ancestors 'none'**: Prevents embedding (reinforces X-Frame-Options)
|
||||
- **object-src 'none'**: Blocks dangerous plugins and embeds
|
||||
- **upgrade-insecure-requests**: Automatically upgrades HTTP to HTTPS
|
||||
|
||||
### Permissions Policy
|
||||
|
||||
@ -66,19 +66,19 @@ Controls browser feature access:
|
||||
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()
|
||||
```
|
||||
|
||||
- **camera=()**: Disables camera access
|
||||
- **microphone=()**: Disables microphone access
|
||||
- **geolocation=()**: Disables location tracking
|
||||
- **interest-cohort=()**: Blocks FLoC (privacy protection)
|
||||
- **browsing-topics=()**: Blocks Topics API (privacy protection)
|
||||
- **camera=()**: Disables camera access
|
||||
- **microphone=()**: Disables microphone access
|
||||
- **geolocation=()**: Disables location tracking
|
||||
- **interest-cohort=()**: Blocks FLoC (privacy protection)
|
||||
- **browsing-topics=()**: Blocks Topics API (privacy protection)
|
||||
|
||||
### Strict Transport Security (HSTS)
|
||||
|
||||
**Production Only**: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
|
||||
|
||||
- **max-age=31536000**: 1 year HSTS policy
|
||||
- **includeSubDomains**: Applies to all subdomains
|
||||
- **preload**: Ready for HSTS preload list inclusion
|
||||
- **max-age=31536000**: 1 year HSTS policy
|
||||
- **includeSubDomains**: Applies to all subdomains
|
||||
- **preload**: Ready for HSTS preload list inclusion
|
||||
|
||||
## Configuration
|
||||
|
||||
@ -110,8 +110,8 @@ headers: async () => {
|
||||
|
||||
### Environment-Specific Behavior
|
||||
|
||||
- **Development**: All headers except HSTS
|
||||
- **Production**: All headers including HSTS
|
||||
- **Development**: All headers except HSTS
|
||||
- **Production**: All headers including HSTS
|
||||
|
||||
## Testing
|
||||
|
||||
@ -121,11 +121,11 @@ Location: `tests/unit/http-security-headers.test.ts`
|
||||
|
||||
Tests cover:
|
||||
|
||||
- Individual header validation
|
||||
- CSP directive verification
|
||||
- Permissions Policy validation
|
||||
- Environment-specific configuration
|
||||
- Next.js compatibility checks
|
||||
- Individual header validation
|
||||
- CSP directive verification
|
||||
- Permissions Policy validation
|
||||
- Environment-specific configuration
|
||||
- Next.js compatibility checks
|
||||
|
||||
### Integration Tests
|
||||
|
||||
@ -133,9 +133,9 @@ Location: `tests/integration/security-headers-basic.test.ts`
|
||||
|
||||
Tests cover:
|
||||
|
||||
- Next.js configuration validation
|
||||
- Header generation verification
|
||||
- Environment-based header differences
|
||||
- Next.js configuration validation
|
||||
- Header generation verification
|
||||
- Environment-based header differences
|
||||
|
||||
### Manual Testing
|
||||
|
||||
@ -160,11 +160,11 @@ pnpm test:security-headers https://your-domain.com
|
||||
|
||||
### Additional Security Benefits
|
||||
|
||||
- **Clickjacking Protection**: X-Frame-Options + CSP frame-ancestors
|
||||
- **MIME Sniffing Prevention**: X-Content-Type-Options
|
||||
- **Information Leakage Reduction**: Referrer-Policy
|
||||
- **Privacy Protection**: Permissions Policy restrictions
|
||||
- **Transport Security**: HSTS enforcement
|
||||
- **Clickjacking Protection**: X-Frame-Options + CSP frame-ancestors
|
||||
- **MIME Sniffing Prevention**: X-Content-Type-Options
|
||||
- **Information Leakage Reduction**: Referrer-Policy
|
||||
- **Privacy Protection**: Permissions Policy restrictions
|
||||
- **Transport Security**: HSTS enforcement
|
||||
|
||||
## Maintenance
|
||||
|
||||
@ -176,9 +176,9 @@ pnpm test:security-headers https://your-domain.com
|
||||
|
||||
### Monitoring
|
||||
|
||||
- Monitor CSP violation reports (when implemented)
|
||||
- Use online tools like securityheaders.com for validation
|
||||
- Include security header tests in CI/CD pipeline
|
||||
- Monitor CSP violation reports (when implemented)
|
||||
- Use online tools like securityheaders.com for validation
|
||||
- Include security header tests in CI/CD pipeline
|
||||
|
||||
### Future Enhancements
|
||||
|
||||
@ -195,18 +195,18 @@ Planned improvements:
|
||||
|
||||
Headers are configured to be compatible with:
|
||||
|
||||
- Next.js 15+ App Router
|
||||
- React 19 development tools
|
||||
- TailwindCSS 4 styling system
|
||||
- Development hot reload functionality
|
||||
- Next.js 15+ App Router
|
||||
- React 19 development tools
|
||||
- TailwindCSS 4 styling system
|
||||
- Development hot reload functionality
|
||||
|
||||
### Browser Support
|
||||
|
||||
Security headers are supported by:
|
||||
|
||||
- All modern browsers (Chrome 60+, Firefox 60+, Safari 12+)
|
||||
- Graceful degradation for older browsers
|
||||
- Progressive enhancement approach
|
||||
- All modern browsers (Chrome 60+, Firefox 60+, Safari 12+)
|
||||
- Graceful degradation for older browsers
|
||||
- Progressive enhancement approach
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
@ -219,13 +219,13 @@ Security headers are supported by:
|
||||
|
||||
### Debug Tools
|
||||
|
||||
- Browser DevTools Security tab
|
||||
- CSP Evaluator: <https://csp-evaluator.withgoogle.com/>
|
||||
- Security Headers Scanner: <https://securityheaders.com/>
|
||||
- Browser DevTools Security tab
|
||||
- CSP Evaluator: <https://csp-evaluator.withgoogle.com/>
|
||||
- Security Headers Scanner: <https://securityheaders.com/>
|
||||
|
||||
## References
|
||||
|
||||
- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)
|
||||
- [MDN Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security)
|
||||
- [Next.js Security Headers](https://nextjs.org/docs/app/api-reference/config/headers)
|
||||
- [Content Security Policy Reference](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
|
||||
- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)
|
||||
- [MDN Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security)
|
||||
- [Next.js Security Headers](https://nextjs.org/docs/app/api-reference/config/headers)
|
||||
- [Content Security Policy Reference](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
|
||||
|
||||
Reference in New Issue
Block a user