kjanat/livedash-node
1
0
Fork 0
mirror of https://github.com/kjanat/livedash-node.git synced 2026-01-16 14:12:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: complete development environment setup and code quality improvements

Browse Source 
- Set up pre-commit hooks with husky and lint-staged for automated code quality
- Improved TypeScript type safety by replacing 'any' types with proper generics
- Fixed markdown linting violations (MD030 spacing) across all documentation
- Fixed compound adjective hyphenation in technical documentation
- Fixed invalid JSON union syntax in API documentation examples
- Automated code formatting and linting on commit
- Enhanced error handling with better type constraints
- Configured biome and markdownlint for consistent code style
- All changes verified with successful production build
This commit is contained in:
Kaj Kowalski
2025-07-13 14:44:05 +02:00
parent 1d4e695e41
commit e2301725a3
54 changed files with 2335 additions and 1863 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
docs/security-headers.md
View File

@ -12,33 +12,33 @@ The application implements multiple layers of HTTP security headers to provide d
#### X-Content-Type-Options: nosniff
- **Purpose**: Prevents MIME type sniffing attacks
- **Protection**: Stops browsers from interpreting files as different MIME types than declared
- **Value**: `nosniff`
- **Purpose**: Prevents MIME type sniffing attacks
- **Protection**: Stops browsers from interpreting files as different MIME types than declared
- **Value**: `nosniff`
#### X-Frame-Options: DENY
- **Purpose**: Prevents clickjacking attacks
- **Protection**: Blocks embedding the site in frames/iframes
- **Value**: `DENY`
- **Purpose**: Prevents clickjacking attacks
- **Protection**: Blocks embedding the site in frames/iframes
- **Value**: `DENY`
#### X-XSS-Protection: 1; mode=block
- **Purpose**: Enables XSS protection in legacy browsers
- **Protection**: Activates built-in XSS filtering (primarily for older browsers)
- **Value**: `1; mode=block`
- **Purpose**: Enables XSS protection in legacy browsers
- **Protection**: Activates built-in XSS filtering (primarily for older browsers)
- **Value**: `1; mode=block`
#### Referrer-Policy: strict-origin-when-cross-origin
- **Purpose**: Controls referrer information leakage
- **Protection**: Limits referrer data sent to external sites
- **Value**: `strict-origin-when-cross-origin`
- **Purpose**: Controls referrer information leakage
- **Protection**: Limits referrer data sent to external sites
- **Value**: `strict-origin-when-cross-origin`
#### X-DNS-Prefetch-Control: off
- **Purpose**: Prevents DNS rebinding attacks
- **Protection**: Disables DNS prefetching to reduce attack surface
- **Value**: `off`
- **Purpose**: Prevents DNS rebinding attacks
- **Protection**: Disables DNS prefetching to reduce attack surface
- **Value**: `off`
### Content Security Policy (CSP)
@ -48,15 +48,15 @@ Comprehensive CSP implementation with the following directives:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests
```
#### Key CSP Directives:
#### Key CSP Directives
- **default-src 'self'**: Restrictive default for all resource types
- **script-src 'self' 'unsafe-eval' 'unsafe-inline'**: Allows Next.js dev tools and React functionality
- **style-src 'self' 'unsafe-inline'**: Enables TailwindCSS and component styles
- **img-src 'self' data: https:**: Allows secure image sources
- **frame-ancestors 'none'**: Prevents embedding (reinforces X-Frame-Options)
- **object-src 'none'**: Blocks dangerous plugins and embeds
- **upgrade-insecure-requests**: Automatically upgrades HTTP to HTTPS
- **default-src 'self'**: Restrictive default for all resource types
- **script-src 'self' 'unsafe-eval' 'unsafe-inline'**: Allows Next.js dev tools and React functionality
- **style-src 'self' 'unsafe-inline'**: Enables TailwindCSS and component styles
- **img-src 'self' data: https:**: Allows secure image sources
- **frame-ancestors 'none'**: Prevents embedding (reinforces X-Frame-Options)
- **object-src 'none'**: Blocks dangerous plugins and embeds
- **upgrade-insecure-requests**: Automatically upgrades HTTP to HTTPS
### Permissions Policy
@ -66,19 +66,19 @@ Controls browser feature access:
Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=(), browsing-topics=()
```
- **camera=()**: Disables camera access
- **microphone=()**: Disables microphone access
- **geolocation=()**: Disables location tracking
- **interest-cohort=()**: Blocks FLoC (privacy protection)
- **browsing-topics=()**: Blocks Topics API (privacy protection)
- **camera=()**: Disables camera access
- **microphone=()**: Disables microphone access
- **geolocation=()**: Disables location tracking
- **interest-cohort=()**: Blocks FLoC (privacy protection)
- **browsing-topics=()**: Blocks Topics API (privacy protection)
### Strict Transport Security (HSTS)
**Production Only**: `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
- **max-age=31536000**: 1 year HSTS policy
- **includeSubDomains**: Applies to all subdomains
- **preload**: Ready for HSTS preload list inclusion
- **max-age=31536000**: 1 year HSTS policy
- **includeSubDomains**: Applies to all subdomains
- **preload**: Ready for HSTS preload list inclusion
## Configuration
@ -110,8 +110,8 @@ headers: async () => {
### Environment-Specific Behavior
- **Development**: All headers except HSTS
- **Production**: All headers including HSTS
- **Development**: All headers except HSTS
- **Production**: All headers including HSTS
## Testing
@ -121,11 +121,11 @@ Location: `tests/unit/http-security-headers.test.ts`
Tests cover:
- Individual header validation
- CSP directive verification
- Permissions Policy validation
- Environment-specific configuration
- Next.js compatibility checks
- Individual header validation
- CSP directive verification
- Permissions Policy validation
- Environment-specific configuration
- Next.js compatibility checks
### Integration Tests
@ -133,9 +133,9 @@ Location: `tests/integration/security-headers-basic.test.ts`
Tests cover:
- Next.js configuration validation
- Header generation verification
- Environment-based header differences
- Next.js configuration validation
- Header generation verification
- Environment-based header differences
### Manual Testing
@ -153,41 +153,41 @@ pnpm test:security-headers https://your-domain.com
### Protection Against OWASP Top 10
1. **A03:2021 - Injection**: CSP prevents script injection
2. **A05:2021 - Security Misconfiguration**: Comprehensive headers reduce attack surface
3. **A06:2021 - Vulnerable Components**: CSP limits execution context
4. **A07:2021 - Identification and Authentication Failures**: HSTS prevents downgrade attacks
1. **A03:2021 - Injection**: CSP prevents script injection
2. **A05:2021 - Security Misconfiguration**: Comprehensive headers reduce attack surface
3. **A06:2021 - Vulnerable Components**: CSP limits execution context
4. **A07:2021 - Identification and Authentication Failures**: HSTS prevents downgrade attacks
### Additional Security Benefits
- **Clickjacking Protection**: X-Frame-Options + CSP frame-ancestors
- **MIME Sniffing Prevention**: X-Content-Type-Options
- **Information Leakage Reduction**: Referrer-Policy
- **Privacy Protection**: Permissions Policy restrictions
- **Transport Security**: HSTS enforcement
- **Clickjacking Protection**: X-Frame-Options + CSP frame-ancestors
- **MIME Sniffing Prevention**: X-Content-Type-Options
- **Information Leakage Reduction**: Referrer-Policy
- **Privacy Protection**: Permissions Policy restrictions
- **Transport Security**: HSTS enforcement
## Maintenance
### Regular Reviews
1. **Quarterly CSP Review**: Analyze CSP violations and tighten policies
2. **Annual Header Audit**: Review new security headers and standards
3. **Dependency Updates**: Ensure compatibility with framework updates
1. **Quarterly CSP Review**: Analyze CSP violations and tighten policies
2. **Annual Header Audit**: Review new security headers and standards
3. **Dependency Updates**: Ensure compatibility with framework updates
### Monitoring
- Monitor CSP violation reports (when implemented)
- Use online tools like securityheaders.com for validation
- Include security header tests in CI/CD pipeline
- Monitor CSP violation reports (when implemented)
- Use online tools like securityheaders.com for validation
- Include security header tests in CI/CD pipeline
### Future Enhancements
Planned improvements:
1. CSP violation reporting endpoint
2. Nonce-based CSP for inline scripts
3. Additional Permissions Policy restrictions
4. Content-Type validation middleware
1. CSP violation reporting endpoint
2. Nonce-based CSP for inline scripts
3. Additional Permissions Policy restrictions
4. Content-Type validation middleware
## Compatibility
@ -195,37 +195,37 @@ Planned improvements:
Headers are configured to be compatible with:
- Next.js 15+ App Router
- React 19 development tools
- TailwindCSS 4 styling system
- Development hot reload functionality
- Next.js 15+ App Router
- React 19 development tools
- TailwindCSS 4 styling system
- Development hot reload functionality
### Browser Support
Security headers are supported by:
- All modern browsers (Chrome 60+, Firefox 60+, Safari 12+)
- Graceful degradation for older browsers
- Progressive enhancement approach
- All modern browsers (Chrome 60+, Firefox 60+, Safari 12+)
- Graceful degradation for older browsers
- Progressive enhancement approach
## Troubleshooting
### Common Issues
1. **CSP Violations**: Check browser console for CSP errors
2. **Styling Issues**: Verify style-src allows 'unsafe-inline'
3. **Script Errors**: Ensure script-src permits necessary scripts
4. **Development Issues**: Use `pnpm dev:next-only` to isolate Next.js
1. **CSP Violations**: Check browser console for CSP errors
2. **Styling Issues**: Verify style-src allows 'unsafe-inline'
3. **Script Errors**: Ensure script-src permits necessary scripts
4. **Development Issues**: Use `pnpm dev:next-only` to isolate Next.js
### Debug Tools
- Browser DevTools Security tab
- CSP Evaluator: https://csp-evaluator.withgoogle.com/
- Security Headers Scanner: https://securityheaders.com/
- Browser DevTools Security tab
- CSP Evaluator: <https://csp-evaluator.withgoogle.com/>
- Security Headers Scanner: <https://securityheaders.com/>
## References
- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)
- [MDN Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security)
- [Next.js Security Headers](https://nextjs.org/docs/app/api-reference/config/headers)
- [Content Security Policy Reference](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)
- [MDN Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security)
- [Next.js Security Headers](https://nextjs.org/docs/app/api-reference/config/headers)
- [Content Security Policy Reference](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)