-
Notifications
You must be signed in to change notification settings - Fork 496
Developer Security
George Dawoud edited this page Oct 20, 2025
·
1 revision
This guide covers security topics that ChurchCRM developers need to understand when writing code and contributing to the project.
Content Security Policy is a browser security feature that prevents code injection attacks by controlling what scripts, stylesheets, and other content can be loaded and executed.
In simple terms: CSP is like a bouncer that checks every piece of code before the browser runs it, only allowing code from trusted sources.
- Prevents XSS attacks: Stops malicious scripts from being injected
- Protects user data: Restricts unauthorized data exfiltration
- Limits damage: Even if an attacker finds a vulnerability, CSP limits what they can do
ChurchCRM implements CSP with the following directives:
- script-src: Controls JavaScript execution sources
- style-src: Controls stylesheet sources
- img-src: Controls image sources
- connect-src: Controls what APIs can be called
- Use
<script>tags withsrcattributes pointing to external files - Use
<link>tags for stylesheets - Avoid inline
<style>tags - use external stylesheets instead - Use external script files instead of inline
<script>content - Use JavaScript event listeners instead of HTML event attributes
- Use
eval()orFunction()constructors - Write inline JavaScript with
onclick,onload, etc. - Use inline styles with
styleattributes (use CSS classes instead) - Dynamically construct scripts with string concatenation
- Load scripts from untrusted external sources
// Don't use eval
eval("var x = 5");
// Don't use inline styles
document.getElementById('myDiv').style.color = 'red';
// Don't use inline event handlers
<button onclick="doSomething()">Click me</button>// Use external script
// In your HTML: <script src="/path/to/script.js"></script>
// Use CSS classes for styling
// In your CSS: .red-text { color: red; }
document.getElementById('myDiv').classList.add('red-text');
// Use event listeners
document.getElementById('myBtn').addEventListener('click', doSomething);| Issue | Problem | Solution |
|---|---|---|
eval() usage |
Blocks dynamic code execution | Refactor to use data structures instead |
| Inline styles |
style attributes blocked |
Use CSS classes with classList
|
| Inline event handlers |
onclick, onload attributes blocked |
Use addEventListener()
|
| Third-party scripts | External script sources must be approved | Add domain to CSP directive |
For more security information, see:
- Security Guide - General security practices
- Code Conventions - Code style and best practices
If you encounter CSP violations during development:
- Check browser console for CSP violation warnings
- Review the violation to identify what needs to be refactored
- Use the solutions above to fix the issue
- Test thoroughly in both development and production environments
- Home
- Quick Start
- Installation
- For Developers
- Features & Usage
- System Admin
- Reference