Project deployed at π½πππ π://π»ππππππππΈπΎππ.πππππΎπ»π.πΆπ π
This document outlines the active HTTP security headers and Content Security Policy (CSP) directives implemented for πΉππππππππΈπΎππ. These mechanisms enforce strict transport security, framing protections, cross-origin isolation, dynamic script restrictions, and browser permissions lockdown, providing strong client-side hardening aligned with modern web security best practices.
| Policy Area | Configuration Details | Enforcement Effect |
|---|---|---|
| Content Security Policy (CSP) | default-src 'none', strict-dynamic, require-trusted-types-for 'script'. |
Enforces strict script evaluation policies, eliminates fallback mechanisms, and mandates nonce-based authorization for all trusted executable sources. |
| Nonce-Based Script Execution | Automated nonce generation and injection via @netlify/plugin-csp-nonce. |
Applies a fresh nonce to every HTML page at build time, enforcing strict-dynamic across static assets. This restricts executable scripts exclusively to those explicitly authorized by a trusted source, effectively neutralizing injected <script> tags and inline JavaScript payloads that rely on string-based script injection. |
| Strict Transport Security (HSTS) | max-age=31536000; includeSubDomains. |
Enforces HTTPS connections for all domains and subdomains, strengthening transport security. |
| X-Frame-Options | DENY. |
Prevents the page from being embedded in any <frame> or <iframe>, blocking framing-based attack vectors such as clickjacking. |
| Frame-Ancestors Directive (CSP) | frame-ancestors 'none'. |
Provides a modern CSP-based restriction against embedding the page in a <frame> or <iframe>, reinforcing protection against framing attacks like clickjacking. |
| Trusted Types Enforcement | require-trusted-types-for 'script'. |
Requires that any value assigned to a script-related DOM sink, like innerHTML or eval(), must be a TrustedScript object created through a Trusted Types policy, blocking untrusted strings from being used to generate executable JavaScript. |
| Permissions Policy | camera=(), microphone=(), geolocation=(), accelerometer=(), magnetometer=(), gyroscope=(). |
Blocks browser access to device sensors, mitigating hardware fingerprinting and sensor-based data leakage. |
| Cross-Origin Isolation Policies | Cross-Origin-Opener-Policy: same-origin, Cross-Origin-Embedder-Policy: credentialless, Cross-Origin-Resource-Policy: same-origin. |
Enables cross-origin isolation, mitigating speculative side-channel attacks and enforcing strong process separation. |
| Object-Source Directive (CSP) | object-src 'none'. |
Blocks loading of <object>, <embed>, and <applet> embedded content to mitigate risks associated with deprecated web embedding interfaces. |
| Cache-Control | no-store. |
Disables caching of dynamic and sensitive content on clients and intermediary proxies. |
β
Mozilla Observatory: Expected A+
β
Google CSP Evaluator: Excellent CSP
β
SSL Labs HTTPS Test: Expected A+ (Netlify-managed certificates, HSTS enabled)
This project was developed independently as a technical exercise in applying advanced web application hardening techniques to a static deployment.
Through comprehensive policies β including CSP enforcement, Trusted Types protection, permissions lockdown, and cross-origin isolation β this configuration is estimated to rank within the top ~0.5% of public websites.
π Project Link: https://freequencies.netlify.app
πΉππππππππΈπΎππ is a web-based DSP environment designed for synthesizing tranquil, meditative soundscapes.