We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
If you discover a security vulnerability, please report it to us as follows:
- Do not create a public GitHub issue
- Email security concerns to: [your-email@example.com]
- Include detailed information about the vulnerability
- Allow reasonable time for us to respond and fix the issue
This project implements several security measures:
- Helmet: Security headers for Express.js
- Rate Limiting: Prevents abuse and DoS attacks
- Input Validation: Sanitizes user inputs
- CORS: Configurable cross-origin resource sharing
- Compression: Reduces attack surface with smaller responses
Helmet 强制启用了以下关键 CSP 指令:
| 指令 | 值 | 说明 |
|---|---|---|
script-src |
'self' cdn.tailwindcss.com |
只允许同源脚本和 Tailwind CDN |
script-src-attr |
'none' |
完全禁止内联事件属性(onclick、onsubmit 等) |
style-src |
'self' 'unsafe-inline' fonts.googleapis.com |
允许同源样式和 Google Fonts |
由于 script-src-attr 'none',全站所有 HTML(包括 JS 动态生成的 innerHTML)均不得使用内联事件属性。本项目通过以下方式合规:
静态 HTML 元素(src/index.html):
- 所有
onclick/onsubmit/onkeyup已从 HTML 中移除 - 改由
utils.js中的bindAllEvents()函数在DOMContentLoaded时统一用addEventListener绑定
动态生成 HTML(utils.js 内 innerHTML 注入):
- filter 按钮使用
data-filter属性,渲染后委托绑定 - 分页按钮使用
data-page属性,渲染后委托绑定 - 产品卡片弹窗按钮使用
data-action="show-popup"属性,渲染后委托绑定 - 移动端轮播按钮渲染后通过
id直接绑定
⚠️ 维护注意事项: 新增或修改任何向 DOM 注入 HTML 的代码时,严禁在模板字符串中使用onclick=、onsubmit=等内联事件属性。必须使用data-*属性 +addEventListener模式,否则 CSP 会在运行时静默阻断所有点击。
When deploying this application:
- Use HTTPS in production
- Set strong environment variables
- Keep dependencies updated
- Use a reverse proxy (nginx) in production
- Monitor logs for suspicious activity
- Regularly backup data
We kindly ask that you:
- Give us reasonable time to fix the issue before public disclosure
- Avoid accessing or modifying user data
- Don't perform DoS attacks or degrade service performance
- Don't spam our systems with automated vulnerability scanners
Thank you for helping keep HTML-YuQL and our users safe!