docs(security): add repo-specific security scope and practices (#17)

Barazo default frontend barazo.forum

Replaces generic boilerplate with frontend-specific security guidance
covering XSS, CSRF, CSP, OAuth token leakage, SSR information
disclosure, clickjacking, and prototype pollution.

authored by

Guido X Jansen and committed by

GitHub 4 weeks ago 30fd94bd 90c256be

+48 -4

1 changed file

expand all

unified split

.github

SECURITY.md

+48 -4

.github/SECURITY.md

··· 18 18 3. Click "Report a vulnerability" 19 19 4. Fill in the details 20 20 21 - Or email: security@barazo.forum (TBD - will be set up in Phase 2) 21 + Or email: security@barazo.forum 22 22 23 23 We will respond within 72 hours with next steps. 24 24 25 + ## Security Scope for This Repo 26 + 27 + barazo-web is the Next.js frontend -- it renders user-generated content, handles client-side OAuth flows, and communicates with the API. The following areas are in scope for security reports: 28 + 29 + ### Cross-Site Scripting (XSS) 30 + 31 + - **Stored XSS** -- user-generated content (topics, replies, profiles) rendering unsanitized HTML 32 + - **Reflected XSS** -- URL parameters or search queries reflected in page output without escaping 33 + - **DOM-based XSS** -- client-side JavaScript constructing DOM from untrusted data 34 + - **Markdown rendering** -- malicious markdown/HTML bypassing the sanitization pipeline 35 + 36 + ### Cross-Site Request Forgery (CSRF) 37 + 38 + - **State-changing actions** -- actions (create topic, react, report, moderate) that can be triggered by external sites 39 + - **OAuth state parameter** -- CSRF in the AT Protocol OAuth callback flow 40 + 41 + ### Content Security Policy (CSP) 42 + 43 + - **CSP bypass** -- techniques to execute scripts or load resources that violate the Content Security Policy 44 + - **Inline script injection** -- circumventing CSP nonce or hash requirements 45 + - **External resource loading** -- loading unauthorized third-party scripts or styles 46 + 47 + ### Authentication & Session 48 + 49 + - **OAuth token leakage** -- access tokens exposed in URLs, logs, or browser history 50 + - **Session fixation** -- reusing or injecting session identifiers 51 + - **Open redirect** -- OAuth callback or navigation URLs redirecting to external malicious sites 52 + 53 + ### Information Disclosure 54 + 55 + - **Server-side rendering leaks** -- SSR exposing API keys, internal URLs, or admin data in HTML source 56 + - **Error messages** -- stack traces or internal paths exposed to users 57 + - **SEO metadata injection** -- manipulating JSON-LD, OpenGraph, or sitemap output with user-controlled data 58 + 59 + ### Client-Side Security 60 + 61 + - **Local storage/cookie exposure** -- sensitive data stored insecurely in the browser 62 + - **Clickjacking** -- missing or bypassable frame-busting (X-Frame-Options / frame-ancestors) 63 + - **Prototype pollution** -- client-side prototype pollution via URL parameters or user input 64 + 25 65 ## Security Practices 26 66 27 - - All commits must be GPG signed 67 + - All user-generated content sanitized before rendering 68 + - Content Security Policy headers configured via Next.js 69 + - HTTPS-only (enforced by Caddy reverse proxy with HSTS) 70 + - No inline scripts or eval (CSP-compatible) 71 + - eslint-plugin-jsx-a11y in strict mode (catches some security-adjacent issues) 72 + - No secret values in client-side bundles (`NEXT_PUBLIC_` prefix convention) 28 73 - Dependencies updated weekly via Dependabot 29 - - CI runs security scans on every PR 30 - - OWASP Top 10 compliance verified 74 + - CodeQL security scanning on every PR 31 75 32 76 ## Disclosure Policy 33 77