Skip to content

Security: inosaint/inosaint.github.io

Security

SECURITY.md

Security Implementation

This document describes the security measures implemented for kenneth.dsouza.im and their current status.

Implemented Security Headers

✅ Content Security Policy (CSP)

  • Status: Active (via meta tag)
  • Implementation: astro-site/src/layouts/BaseLayout.astro
  • Configuration: Restricts resource loading to trusted sources
    • Allows same-origin content
    • Permits Google Fonts and CDN fonts
    • Enables HTTPS images
    • Allows inline scripts (required for Astro)

✅ Referrer Policy

  • Status: Active (via meta tag)
  • Implementation: astro-site/src/layouts/BaseLayout.astro
  • Configuration: strict-origin-when-cross-origin
  • Benefit: Protects user privacy while maintaining functional navigation

✅ Subresource Integrity (SRI) Preparation

  • Status: Partial (crossorigin attributes added)
  • Implementation: astro-site/src/layouts/BaseLayout.astro
  • Limitation: Full SRI cannot be implemented for Google Fonts due to dynamic content
  • Current setup: All external resources have crossorigin="anonymous" for proper CORS handling

Pending Security Headers (Requires CDN)

⚠️ Strict Transport Security (HSTS)

  • Status: Not active on GitHub Pages
  • File prepared: astro-site/public/_headers
  • Limitation: GitHub Pages does not support custom HTTP headers
  • Solution: Migrate to Cloudflare Pages or Netlify, or configure Cloudflare CDN

⚠️ X-Content-Type-Options

  • Status: Not active on GitHub Pages
  • File prepared: astro-site/public/_headers
  • Limitation: Cannot be set via meta tags
  • Solution: Same as HSTS above

ℹ️ X-Frame-Options

  • Status: Not implemented (by user request)
  • Note: The frame-ancestors CSP directive was intentionally excluded

Recommendations

Option 1: Use Cloudflare (Free Tier)

  1. Sign up for Cloudflare (free)
  2. Point your domain's nameservers to Cloudflare
  3. Cloudflare will automatically respect the _headers file
  4. Alternatively, configure headers in Cloudflare dashboard under Rules → Transform Rules

Option 2: Migrate to Cloudflare Pages

  1. Import the GitHub repository to Cloudflare Pages
  2. The _headers file will work automatically
  3. All security headers will be active immediately

Option 3: Migrate to Netlify

  1. Import the GitHub repository to Netlify
  2. The _headers file will work automatically
  3. All security headers will be active immediately

Testing

After implementing the CDN solution, test your security headers at:

Current Score

Based on Mozilla Observatory testing:

  • Active: CSP (-25 → 0), Referrer Policy (info)
  • Pending: HSTS (-20), X-Content-Type-Options (-5)
  • Expected improvement: +45 points once HSTS and X-Content-Type-Options are active

There aren't any published security advisories