d48cda4081
CI / Test (ubuntu-latest, Node 18.x, bun) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, npm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, pnpm) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 18.x, yarn) (push) Failing after 15m1s
CI / Test (ubuntu-latest, Node 20.x, bun) (push) Failing after 17m13s
CI / Test (ubuntu-latest, Node 20.x, npm) (push) Failing after 18m42s
CI / Test (ubuntu-latest, Node 20.x, pnpm) (push) Failing after 15m0s
CI / Test (ubuntu-latest, Node 20.x, yarn) (push) Failing after 49m44s
CI / Test (ubuntu-latest, Node 22.x, bun) (push) Failing after 51m55s
CI / Test (ubuntu-latest, Node 22.x, pnpm) (push) Failing after 21m57s
CI / Test (ubuntu-latest, Node 22.x, npm) (push) Failing after 37m39s
CI / Test (ubuntu-latest, Node 22.x, yarn) (push) Failing after 34m7s
CI / Validate Components (push) Failing after 37m15s
CI / Python Tests (push) Failing after 10m1s
CI / Security Scan (push) Failing after 10m1s
CI / Lint (push) Failing after 17m12s
CI / Coverage (push) Failing after 20m19s
CI / Test (macos-latest, Node 18.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 18.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 20.x, yarn) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, bun) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (macos-latest, Node 22.x, yarn) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, npm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, pnpm) (push) Has been cancelled
CI / Test (windows-latest, Node 22.x, yarn) (push) Has been cancelled
70 lines
1.7 KiB
Markdown
70 lines
1.7 KiB
Markdown
---
|
|
paths:
|
|
- "**/*.css"
|
|
- "**/*.scss"
|
|
- "**/*.sass"
|
|
- "**/*.less"
|
|
- "**/*.html"
|
|
- "**/*.tsx"
|
|
- "**/*.jsx"
|
|
- "**/*.vue"
|
|
- "**/*.svelte"
|
|
---
|
|
> This file extends [common/security.md](../common/security.md) with web-specific security content.
|
|
|
|
# Web Security Rules
|
|
|
|
## Content Security Policy
|
|
|
|
Always configure a production CSP.
|
|
|
|
### Nonce-Based CSP
|
|
|
|
Use a per-request nonce for scripts instead of `'unsafe-inline'`.
|
|
|
|
```text
|
|
Content-Security-Policy:
|
|
default-src 'self';
|
|
script-src 'self' 'nonce-{RANDOM}' https://cdn.jsdelivr.net;
|
|
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
|
|
img-src 'self' data: https:;
|
|
font-src 'self' https://fonts.gstatic.com;
|
|
connect-src 'self' https://*.example.com;
|
|
frame-src 'none';
|
|
object-src 'none';
|
|
base-uri 'self';
|
|
```
|
|
|
|
Adjust origins to the project. Do not cargo-cult this block unchanged.
|
|
|
|
## XSS Prevention
|
|
|
|
- Never inject unsanitized HTML
|
|
- Avoid `innerHTML` / `dangerouslySetInnerHTML` unless sanitized first
|
|
- Escape dynamic template values
|
|
- Sanitize user HTML with a vetted local sanitizer when absolutely necessary
|
|
|
|
## Third-Party Scripts
|
|
|
|
- Load asynchronously
|
|
- Use SRI when serving from a CDN
|
|
- Audit quarterly
|
|
- Prefer self-hosting for critical dependencies when practical
|
|
|
|
## HTTPS and Headers
|
|
|
|
```text
|
|
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
|
|
X-Content-Type-Options: nosniff
|
|
X-Frame-Options: DENY
|
|
Referrer-Policy: strict-origin-when-cross-origin
|
|
Permissions-Policy: camera=(), microphone=(), geolocation=()
|
|
```
|
|
|
|
## Forms
|
|
|
|
- CSRF protection on state-changing forms
|
|
- Rate limiting on submission endpoints
|
|
- Validate client and server side
|
|
- Prefer honeypots or light anti-abuse controls over heavy-handed CAPTCHA defaults
|