Security: CSP, rate-limit phishing, CDN denylist, audit rotation#540
Open
sandrawillow001-afk wants to merge 1 commit into
Open
Conversation
…d denylist, audit log rotation - Create src/middleware.ts with strict CSP headers (default-src 'self', img-src, script-src with nonce) - Create src/app/api/csp-report/route.ts for CSP violation reports - Add Playwright E2E test verifying CSP headers block inline scripts - Add docs/csp.md documenting the policy - Add memoization per window.location.origin in PhishingProtection.detectPhishing - Add rate-limited reportPhishing with configurable max reports per minute - Add clearMemoizedResults for testing - Add tests for memoization and rate-limiting behavior - Add loadManifestFromCDN with signed manifest verification - Keep minimal fallback list (3 domains, 1 contract) for offline scenarios - Add docs/phishing-denylist.md documenting manifest schema and update procedure - Add tests for CDN fallback behavior - Implement LRU-by-time eviction when MAX_LOG_SIZE exceeded - Add warning at 90% capacity threshold - Export evicted entries to remote sink before removal - Add alert rotation with recency-based sorting - Add docs/audit-retention.md documenting retention policy - Add tests for eviction, warning, and alert rotation
sandrawillow001-afk
force-pushed
the
security/csp-rate-limit-cdn-audit-rotation
branch
from
c6531db to
44dd445
Compare
|
@sandrawillow001-afk Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves issues #445, #446, #449, #450 assigned to sandrawillow001-afk.
Changes
#445 - Enforce strict CSP in production middleware
#446 - Rate-limit phishing detection lookups
eportPhishing\ with configurable max reports
#449 - CDN-sourced phishing denylist with signed manifest
#450 - Audit log rotation & quota enforcement
Verification
closes security: rate-limit phishing detection lookups #446
closes security: enforce strict CSP in production middleware #445
closes security: audit log lacks deterministic rotation & quota enforcement #450
closes security: phishing domain denylist should be CDN-sourced with signed manifest #449