Skip to content

Security: juanmirocks/website

Security

SECURITY.md

Security Implementation Notes

This document outlines the security measures implemented in this website and additional deployment considerations.

Implemented Security Measures

Content Security Policy (CSP)

  • default-src: Restricted to 'self'
  • script-src: Allows self and inline scripts (required for React)
  • style-src: Allows self, inline styles, and Google Fonts
  • font-src: Allows self and Google Fonts CDN
  • img-src: Allows self, data URIs, and HTTPS images
  • frame-ancestors: Set to 'none' to prevent clickjacking
  • object-src: Set to 'none' to block plugins
  • upgrade-insecure-requests: Forces HTTPS

Security Headers

  • X-Frame-Options: DENY (prevents framing/clickjacking)
  • X-Content-Type-Options: nosniff (prevents MIME sniffing)
  • Referrer-Policy: strict-origin-when-cross-origin
  • X-XSS-Protection: 1; mode=block (for older browsers)

Permissions Policy

Disabled unnecessary browser features:

  • Geolocation, microphone, camera
  • Payment APIs, USB access
  • Motion sensors (magnetometer, gyroscope, accelerometer)
  • Ambient light sensor, autoplay, encrypted media
  • Picture-in-picture (except fullscreen for self)

External Link Security

  • All external links use rel="noopener noreferrer"
  • Google Fonts loaded with crossorigin="anonymous"

Production Deployment Recommendations

1. Server-Level Security Headers

Move security headers from meta tags to HTTP headers:

# Nginx example
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; object-src 'none'; upgrade-insecure-requests;" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

2. HTTPS Configuration

  • Use TLS 1.2+ only
  • Implement HSTS (HTTP Strict Transport Security)
  • Use strong cipher suites
  • Consider Certificate Transparency monitoring

3. Additional Hardening

  • Implement rate limiting
  • Use a WAF (Web Application Firewall)
  • Regular security scanning
  • Keep dependencies updated
  • Monitor for security vulnerabilities

4. CDN/Proxy Security

If using Cloudflare or similar:

  • Enable security features (bot protection, DDoS protection)
  • Configure appropriate security rules
  • Use edge security policies

Security Considerations

Current Limitations

  • CSP includes 'unsafe-inline' and 'unsafe-eval' due to React requirements
  • Meta tags provide limited protection compared to HTTP headers

Future Improvements

  • Implement nonce-based CSP for scripts
  • Add Subresource Integrity (SRI) for external resources
  • Consider implementing Content Security Policy reporting
  • Add security monitoring and alerting

Contact Security

For security-related issues or questions, contact: [Your security contact email]

There aren’t any published security advisories