Nixius
/
hastebin
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
hastebin/docs/SECURITY.md

3.9 KiB
Raw Blame History

Hastebin Security Implementation

This document explains the security measures implemented in Hastebin, particularly focusing on HTTP security headers and their testing.

Security Headers Overview

Hastebin implements several security headers to protect against common web vulnerabilities:

Content Security Policy (CSP)

  • Purpose: Prevents XSS attacks and other code injection by controlling which resources can be loaded
  • Implementation: Restricts scripts to same-origin, uses nonces for inline scripts
  • Configuration: Controlled via HASTEBIN_ENABLE_CSP environment variable
  • Default Policy:
    • script-src 'self' (only same-origin scripts)
    • Dynamic nonces for necessary inline scripts
    • unsafe-hashes for certain UI interactions

Cross-Origin Isolation

  • Purpose: Enables powerful features like SharedArrayBuffer while preventing side-channel attacks
  • Headers:
    • Cross-Origin-Embedder-Policy: require-corp
    • Cross-Origin-Resource-Policy: same-origin
    • Cross-Origin-Opener-Policy: same-origin
  • Configuration: Enabled via HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION

HTTP Strict Transport Security (HSTS)

  • Purpose: Ensures all connections use HTTPS, preventing downgrade attacks
  • Implementation: Long max-age to ensure persistent HTTPS usage
  • Configuration: Controlled by HASTEBIN_ENABLE_HSTS

Additional Security Headers

  • X-Content-Type-Options: nosniff: Prevents MIME type sniffing
  • X-Frame-Options: DENY: Prevents clickjacking attacks
  • X-XSS-Protection: 1; mode=block: Additional XSS protection for older browsers
  • Referrer-Policy: strict-origin-when-cross-origin: Controls referrer information
  • Permissions-Policy: Restricts access to powerful features

Testing Security Implementation

The security implementation is thoroughly tested through our test suite located in the test directory:

Test Directory Structure

test/
├── core/
│   └── core_functionality_spec.js    # Core functionality tests
├── security/
│   ├── security_spec.js             # Main security test suite
│   └── security_shell_spec.sh       # Shell-based security tests
├── key_generators/                  # Key generator tests
└── document_handler_spec.js         # Document handler tests

Running Tests

# Run all tests (unit + security)
npm test

# Run only core functionality tests
npm run test:core

# Run security tests
npm run test:security                # Run all security tests
npm run test:security:csp           # Test CSP configuration
npm run test:security:cors          # Test CORS settings
npm run test:security:combined      # Test combined security features

Test Documentation

Core Functionality Tests

  • Located in test/core/core_functionality_spec.js
  • Tests basic Hastebin operations
  • Includes document creation, retrieval, and rate limiting tests
  • Uses Mocha test framework

Security Tests

  • Main test suite in test/security/security_spec.js
  • Shell-based tests in test/security/security_shell_spec.sh
  • Covers all security headers and configurations
  • Includes both automated and manual test cases

Development Considerations

  1. Development Mode:

    • CSP can be relaxed in development via HASTEBIN_BYPASS_CSP_IN_DEV
    • Headers are still present but may be less restrictive

  2. Production Deployment:

    • All security headers enabled by default
    • CSP in strict mode
    • HSTS recommended for production

  3. Monitoring and Maintenance:

    • Regular security header audits
    • Updates based on browser security requirements
    • Compatibility testing with security measures enabled

Best Practices

  1. Always run security tests before deployment
  2. Keep security headers enabled in production
  3. Regularly update security configurations
  4. Monitor for security header effectiveness
  5. Test core functionality with security measures enabled