🔒 SECURITY: Added XSS protection, security headers, and audit documentation

2026-06-06 14:44:01 +02:00 · 2025-08-21 20:44:08 -07:00
parent 73d8e888dc
commit dcfb1b33dd
6 changed files with 354 additions and 1 deletions
@@ -0,0 +1,71 @@
+// Security Headers Configuration for LeakHub
+// Add these headers to your web server or CDN configuration
+
+const securityHeaders = {
+    // Prevent XSS attacks
+    'X-XSS-Protection': '1; mode=block',
+    
+    // Prevent MIME type sniffing
+    'X-Content-Type-Options': 'nosniff',
+    
+    // Prevent clickjacking
+    'X-Frame-Options': 'DENY',
+    
+    // Strict transport security (HTTPS only)
+    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
+    
+    // Content Security Policy
+    'Content-Security-Policy': [
+        "default-src 'self'",
+        "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com",
+        "style-src 'self' 'unsafe-inline'",
+        "img-src 'self' data: https:",
+        "font-src 'self'",
+        "connect-src 'self'",
+        "frame-ancestors 'none'",
+        "base-uri 'self'",
+        "form-action 'self'"
+    ].join('; '),
+    
+    // Referrer Policy
+    'Referrer-Policy': 'strict-origin-when-cross-origin',
+    
+    // Permissions Policy
+    'Permissions-Policy': 'geolocation=(), microphone=(), camera=()',
+    
+    // Cache Control for sensitive pages
+    'Cache-Control': 'no-store, no-cache, must-revalidate, proxy-revalidate',
+    'Pragma': 'no-cache',
+    'Expires': '0'
+};
+
+// For different deployment platforms:
+
+// Vercel (vercel.json)
+const vercelConfig = {
+    headers: Object.entries(securityHeaders).map(([key, value]) => ({
+        source: '/(.*)',
+        headers: [{ key, value }]
+    }))
+};
+
+// Netlify (netlify.toml)
+const netlifyHeaders = Object.entries(securityHeaders).map(([key, value]) => ({
+    for: '/*',
+    [key.toLowerCase()]: value
+}));
+
+// Express.js middleware
+function securityMiddleware(req, res, next) {
+    Object.entries(securityHeaders).forEach(([key, value]) => {
+        res.setHeader(key, value);
+    });
+    next();
+}
+
+module.exports = {
+    securityHeaders,
+    vercelConfig,
+    netlifyHeaders,
+    securityMiddleware
+};