nzambello.dev/SECURITY.md

# Security Implementation

This document outlines the security measures implemented on nzambello.dev.

## Security Headers

The following security headers are implemented both at the Astro application level and nginx server level:

### 1. Content Security Policy (CSP)

- **Purpose**: Prevents XSS attacks by controlling which resources can be loaded
- **Configuration**:
  - `default-src 'self'` - Only allow resources from same origin
  - `script-src 'self' 'sha256-U0WpsmVuEv6JLpvNc218U7NDQFOhmT0SoynEzwNuH2k=' 'sha256-wKQx33OMOj4svpJjCKMJBzqx4TLqRnSERHrGGRq1r0g=' 'sha256-H8banCcLFAzpThob4LupxIv2ab+Nqep1HLg5Gmq6ug8=' https://umami.nzambello.dev` - Allow specific inline scripts via SHA256 hashes and Umami analytics
  - `style-src 'self' 'unsafe-inline' https://unpkg.com` - Allow inline styles and PicoCSS from unpkg
  - `img-src 'self' https:` - Allow images from same origin and HTTPS sources (no data: URIs)
  - `font-src 'self' https://unpkg.com` - Allow fonts from same origin and unpkg
  - `connect-src 'self' https://umami.nzambello.dev` - Allow connections to same origin and Umami
  - `object-src 'none'` - Block all plugins
  - `base-uri 'none'` - Block base URI manipulation
  - `form-action 'self'` - Allow form submissions to same origin
  - `frame-ancestors 'none'` - Prevent site from being embedded in iframes

### 2. HTTP Strict Transport Security (HSTS)

- **Purpose**: Forces browsers to use HTTPS only
- **Configuration**: `max-age=31536000; includeSubDomains; preload`
- **Duration**: 1 year with subdomain coverage and preload list inclusion

### 3. X-Content-Type-Options

- **Purpose**: Prevents MIME type sniffing attacks
- **Configuration**: `nosniff`

### 4. X-Frame-Options

- **Purpose**: Prevents clickjacking attacks
- **Configuration**: `DENY` (prevents any embedding)

### 5. Referrer Policy

- **Purpose**: Controls referrer information sent to other sites
- **Configuration**: `strict-origin-when-cross-origin`
- **Behavior**: Sends full referrer to same origin, only origin to cross-origin, nothing on downgrade

### 6. X-XSS-Protection

- **Purpose**: Additional XSS protection for older browsers
- **Configuration**: `1; mode=block`

### 7. Permissions Policy

- **Purpose**: Controls browser features and APIs
- **Configuration**: `camera=(), microphone=(), geolocation=(), payment=()`
- **Effect**: Blocks access to camera, microphone, geolocation, and payment APIs

## Subresource Integrity (SRI)

### External Resources with SRI

- **Umami Analytics Script**:
  - URL: `https://umami.nzambello.dev/script.js`
  - Integrity: `sha384-gW+82edTiLqRoEvPbT3xKDCYZ5M02YXbW4tA3gbojZWiiMYNJZb4YneJrS4ri3Rn`
  - Purpose: Ensures the analytics script hasn't been tampered with

## Server Information Hiding

- **Server Tokens**: Disabled in nginx configuration
- **X-Powered-By**: Removed from response headers
- **Server**: Removed from response headers

## Testing Security Headers

To test the security headers:

```bash
# Run the security test script
npm run test:security

# Or manually check headers
curl -I https://nzambello.dev
```

## Security Best Practices

1. **HTTPS Only**: All traffic is served over HTTPS
2. **No External Dependencies**: Minimal external dependencies, all with SRI where applicable
3. **Inline Scripts**: All inline scripts are necessary for functionality and are allowed via SHA256 hashes in CSP
4. **Regular Updates**: Dependencies are regularly updated to patch security vulnerabilities
5. **Content Security**: All content is served from trusted sources only
6. **CSP Compliance**: No `unsafe-inline` or `unsafe-eval` directives, using hash-based validation instead

## Monitoring

- Security headers are monitored through the Umami analytics integration
- Regular security audits are performed using automated tools
- CSP violations are logged and monitored

## Compliance

These security measures help ensure compliance with:

- OWASP Top 10
- Web Security Best Practices
- Modern browser security standards