This is my personal website written in JavaScript(NodeJS). The purpose of this is to learn something useful and to enjoy myself.
Everything below this point is under construction. Don't forget your safety helmet!
-
Allow only GET(HEAD) and POST HTTP methods using NGINXs limit_except directive. These methods are available only when required. (eg. POST method is allowed only on routes defined with app.post in app.ts)
-
CSRF protection by:
- accepting only valid JSON from requests (parsing is done with JSON.parse())
- validating 'Content-Type' header from requests and accepting only 'Content-Type: application/json'
- not allowing CORS by disabling the OPTIONS method on all routes (any CORS preflight requests will fail)
- setting the Content-Security-Policy object-src directive to none and not using a crossdomain.xml file to mitigate Flash based exploits
- using tough cookies with:
- SameSite attribute set to Strict
- Secure attribute
- HTTPOnly attribute
- __Host prefix
-
XSS protection by:
- using a safe Content-Security-Policy
- allowing execution of inline scripts/styles and outline scripts only if they are supplied with a nonce
- allowing execution of outline styles only if they are from the same origin
- sending the header 'X-XSS-Protection: 1; mode=block' on every request
- escaping HTML values with Handlebars
- sanitizing user submited values using backend logic
- using a safe Content-Security-Policy