# Security Implementation This document outlines the security measures implemented on nzambello.dev. ## Security Headers The following security headers are implemented both at the Astro application level and nginx server level: ### 1. Content Security Policy (CSP) - **Purpose**: Prevents XSS attacks by controlling which resources can be loaded - **Configuration**: - `default-src 'self'` - Only allow resources from same origin - `script-src 'self' 'sha256-U0WpsmVuEv6JLpvNc218U7NDQFOhmT0SoynEzwNuH2k=' 'sha256-wKQx33OMOj4svpJjCKMJBzqx4TLqRnSERHrGGRq1r0g=' 'sha256-H8banCcLFAzpThob4LupxIv2ab+Nqep1HLg5Gmq6ug8=' https://umami.nzambello.dev` - Allow specific inline scripts via SHA256 hashes and Umami analytics - `style-src 'self' 'unsafe-inline' https://unpkg.com` - Allow inline styles and PicoCSS from unpkg - `img-src 'self' https:` - Allow images from same origin and HTTPS sources (no data: URIs) - `font-src 'self' https://unpkg.com` - Allow fonts from same origin and unpkg - `connect-src 'self' https://umami.nzambello.dev` - Allow connections to same origin and Umami - `object-src 'none'` - Block all plugins - `base-uri 'none'` - Block base URI manipulation - `form-action 'self'` - Allow form submissions to same origin - `frame-ancestors 'none'` - Prevent site from being embedded in iframes ### 2. HTTP Strict Transport Security (HSTS) - **Purpose**: Forces browsers to use HTTPS only - **Configuration**: `max-age=31536000; includeSubDomains; preload` - **Duration**: 1 year with subdomain coverage and preload list inclusion ### 3. X-Content-Type-Options - **Purpose**: Prevents MIME type sniffing attacks - **Configuration**: `nosniff` ### 4. X-Frame-Options - **Purpose**: Prevents clickjacking attacks - **Configuration**: `DENY` (prevents any embedding) ### 5. Referrer Policy - **Purpose**: Controls referrer information sent to other sites - **Configuration**: `strict-origin-when-cross-origin` - **Behavior**: Sends full referrer to same origin, only origin to cross-origin, nothing on downgrade ### 6. X-XSS-Protection - **Purpose**: Additional XSS protection for older browsers - **Configuration**: `1; mode=block` ### 7. Permissions Policy - **Purpose**: Controls browser features and APIs - **Configuration**: `camera=(), microphone=(), geolocation=(), payment=()` - **Effect**: Blocks access to camera, microphone, geolocation, and payment APIs ## Subresource Integrity (SRI) ### External Resources with SRI - **Umami Analytics Script**: - URL: `https://umami.nzambello.dev/script.js` - Integrity: `sha384-gW+82edTiLqRoEvPbT3xKDCYZ5M02YXbW4tA3gbojZWiiMYNJZb4YneJrS4ri3Rn` - Purpose: Ensures the analytics script hasn't been tampered with ## Server Information Hiding - **Server Tokens**: Disabled in nginx configuration - **X-Powered-By**: Removed from response headers - **Server**: Removed from response headers ## Testing Security Headers To test the security headers: ```bash # Run the security test script npm run test:security # Or manually check headers curl -I https://nzambello.dev ``` ## Security Best Practices 1. **HTTPS Only**: All traffic is served over HTTPS 2. **No External Dependencies**: Minimal external dependencies, all with SRI where applicable 3. **Inline Scripts**: All inline scripts are necessary for functionality and are allowed via SHA256 hashes in CSP 4. **Regular Updates**: Dependencies are regularly updated to patch security vulnerabilities 5. **Content Security**: All content is served from trusted sources only 6. **CSP Compliance**: No `unsafe-inline` or `unsafe-eval` directives, using hash-based validation instead ## Monitoring - Security headers are monitored through the Umami analytics integration - Regular security audits are performed using automated tools - CSP violations are logged and monitored ## Compliance These security measures help ensure compliance with: - OWASP Top 10 - Web Security Best Practices - Modern browser security standards