Nixius
/
hastebin
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
hastebin/docs/SECURITY.md

106 lines
3.9 KiB
Markdown
Raw Permalink Blame History

# Hastebin Security Implementation
This document explains the security measures implemented in Hastebin, particularly focusing on HTTP security headers and their testing.
## Security Headers Overview
Hastebin implements several security headers to protect against common web vulnerabilities:
### Content Security Policy (CSP)
- **Purpose**: Prevents XSS attacks and other code injection by controlling which resources can be loaded
- **Implementation**: Restricts scripts to same-origin, uses nonces for inline scripts
- **Configuration**: Controlled via `HASTEBIN_ENABLE_CSP` environment variable
- **Default Policy**:
- `script-src 'self'` (only same-origin scripts)
- Dynamic nonces for necessary inline scripts
- `unsafe-hashes` for certain UI interactions
### Cross-Origin Isolation
- **Purpose**: Enables powerful features like SharedArrayBuffer while preventing side-channel attacks
- **Headers**:
- `Cross-Origin-Embedder-Policy: require-corp`
- `Cross-Origin-Resource-Policy: same-origin`
- `Cross-Origin-Opener-Policy: same-origin`
- **Configuration**: Enabled via `HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION`
### HTTP Strict Transport Security (HSTS)
- **Purpose**: Ensures all connections use HTTPS, preventing downgrade attacks
- **Implementation**: Long max-age to ensure persistent HTTPS usage
- **Configuration**: Controlled by `HASTEBIN_ENABLE_HSTS`
### Additional Security Headers
- `X-Content-Type-Options: nosniff`: Prevents MIME type sniffing
- `X-Frame-Options: DENY`: Prevents clickjacking attacks
- `X-XSS-Protection: 1; mode=block`: Additional XSS protection for older browsers
- `Referrer-Policy: strict-origin-when-cross-origin`: Controls referrer information
- `Permissions-Policy`: Restricts access to powerful features
## Testing Security Implementation
The security implementation is thoroughly tested through our test suite located in the `test` directory:
### Test Directory Structure
```
test/
├── core/
│ └── core_functionality_spec.js # Core functionality tests
├── security/
│ ├── security_spec.js # Main security test suite
│ └── security_shell_spec.sh # Shell-based security tests
├── key_generators/ # Key generator tests
└── document_handler_spec.js # Document handler tests
```
### Running Tests
```bash
# Run all tests (unit + security)
npm test
# Run only core functionality tests
npm run test:core
# Run security tests
npm run test:security # Run all security tests
npm run test:security:csp # Test CSP configuration
npm run test:security:cors # Test CORS settings
npm run test:security:combined # Test combined security features
```
## Test Documentation
### Core Functionality Tests
- Located in `test/core/core_functionality_spec.js`
- Tests basic Hastebin operations
- Includes document creation, retrieval, and rate limiting tests
- Uses Mocha test framework
### Security Tests
- Main test suite in `test/security/security_spec.js`
- Shell-based tests in `test/security/security_shell_spec.sh`
- Covers all security headers and configurations
- Includes both automated and manual test cases
## Development Considerations
1. **Development Mode**:
- CSP can be relaxed in development via `HASTEBIN_BYPASS_CSP_IN_DEV`
- Headers are still present but may be less restrictive
2. **Production Deployment**:
- All security headers enabled by default
- CSP in strict mode
- HSTS recommended for production
3. **Monitoring and Maintenance**:
- Regular security header audits
- Updates based on browser security requirements
- Compatibility testing with security measures enabled
## Best Practices
1. **Always run security tests before deployment**
2. **Keep security headers enabled in production**
3. **Regularly update security configurations**
4. **Monitor for security header effectiveness**
5. **Test core functionality with security measures enabled**
Reference in New Issue View Git Blame Copy Permalink