Skip to content

fix: add security headers via helmet with CSP configuration#49

Merged
mayo-byte07 merged 2 commits into
mayo-byte07:mainfrom
rishab11250:gssoc/fix/security-headers
May 26, 2026
Merged

fix: add security headers via helmet with CSP configuration#49
mayo-byte07 merged 2 commits into
mayo-byte07:mainfrom
rishab11250:gssoc/fix/security-headers

Conversation

@rishab11250
Copy link
Copy Markdown
Contributor

@rishab11250 rishab11250 commented May 23, 2026

Description

This PR adds HTTP security headers to the application using the helmet middleware, significantly improving the app's security posture. A Content Security Policy (CSP) is configured to allow existing third-party resources (Google Fonts, Razorpay checkout, CDNjs, Vercel analytics) while blocking common attack vectors like XSS, clickjacking, and MIME sniffing. Also refactors an inline event handler for CSP compliance.

Fixes #45

Changes Made

  • Installed helmet v8.2.0 (package.json)
  • Added const helmet = require('helmet') and configured helmet() middleware with CSP directives in server.js
  • CSP allows: Google Fonts (fonts.googleapis.com, fonts.gstatic.com), Razorpay checkout (checkout.razorpay.com), CDNjs VanillaTilt (cdnjs.cloudflare.com), and Vercel analytics (same-origin)
  • Set frame-ancestors: 'self' — allows admin live preview iframe to load /me while blocking external sites from framing Conn pages
  • Enforces HTTPS via upgrade-insecure-requests, blocks plugins via object-src: 'none', restricts form submissions via form-action: 'self'
  • Removed inline onclick="window.open('/me', '_blank')" from admin.html (blocked by CSP script-src-attr 'none')
  • Added equivalent addEventListener('click', ...) for the share button in admin.js

Screenshots (if applicable)

N/A

Checklist

  • I have linked the relevant issue above.
  • I have tested my changes locally.
  • My code follows the project's style guidelines.

@rishab11250
fix: add security headers via helmet with CSP configuration
5aa6c30 
- Add helmet middleware with Content Security Policy directives
- Allow external resources: Google Fonts, Razorpay, CDNjs, Vercel analytics
- Set frame-ancestors 'self' for admin live preview iframe
- Refactor inline onclick to addEventListener for CSP compatibility
- Blocks external framing, MIME sniffing, clickjacking
- Enforces HTTPS via upgrade-insecure-requests
@mayo-byte07 mayo-byte07 added this to the GSSoC '26 - Phase 1 milestone May 26, 2026
@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 26, 2026

@mayo-byte07 is attempting to deploy a commit to the Mayo's projects Team on Vercel.

A member of the Team first needs to authorize it.

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
conn Ready Ready Preview, Comment May 26, 2026 8:28pm

@mayo-byte07 mayo-byte07 merged commit 0dbedc0 into mayo-byte07:main May 26, 2026
2 checks passed
@mayo-byte07 mayo-byte07 mentioned this pull request May 26, 2026
Merged
@rishab11250 rishab11250 deleted the gssoc/fix/security-headers branch May 27, 2026 03:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

gssoc:approved gssoc26 level:advanced level:intermediate (Medium/Bug fixes: ~25 points)

Projects

None yet

Milestone

GSSoC '26 - Phase 1

Development

Successfully merging this pull request may close these issues.

[ENHANCEMENT] Add security headers (CSP, X-Frame-Options, HSTS, X-Content-Type-Options)

2 participants

@rishab11250 @mayo-byte07