Improve security and privacy with strict meta tags

This commit introduces two meta tags to strengthen the application's security posture and enhance user privacy, following best practices and OWASP recommendations. - Add Content-Security-Policy (CSP) to strictly to strictly control which resources the application is allowed, mitigating the risk of code injection attacks such as Cross-Site Scripting (XSS). - Add `referrer` meta tag to prevent the users' browser from sending the page's address, or referrer, when navigating to another site, thereby enhancing user privacy.
undergroundwires · Dec 6, 2023 · 53253d8 · 53253d8
1 parent daa6230
commit 53253d8
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -19,17 +19,17 @@ Upon receiving a security report, the process involves:
 - Fixing the vulnerability and planning a release to address it.
 - Keeping the reporter informed about progress.
 
-## Security Practices
+## Application Security Practices
 
-### Update Security and Integrity
+privacy.sexy adopts a defense in depth strategy to protect users on multiple layers:
 
-privacy.sexy benefits from automated update processes including security tests. Automated deployments from source code ensure immediate and secure updates, mirroring the latest source code. This aligns the deployed application with the expected source code, enhancing transparency and trust. For more details, see [CI/CD Documentation](./docs/ci-cd.md).
-
-Every desktop update undergoes a thorough verification process. Updates are cryptographically signed to ensure authenticity and integrity, preventing tampered versions from reaching your device. Version checks are conducted to prevent downgrade attacks.
+- **Link Protection:** privacy.sexy ensures each external link has special attributes for your privacy and security. These attributes block the new site from accessing the privacy.sexy page, increasing your online safety and privacy.
+- **Content Security Policies (CSP):** privacy.sexy actively follows security guidelines from the Open Web Application Security Project (OWASP) at strictest level. This approach protects against attacks like Cross Site Scripting (XSS) and data injection
+- **Context Isolation:** The desktop application of privacy.sexy isolates different code sections based on their access level. This separation prevents attackers from introducing harmful code into the app, known as injection attacks.
 
 ### Testing
 
-privacy.sexy employs a comprehensive testing strategy that integrates extensive automated testing with manual community-driven tests.
+privacy.sexy's testing approach includes a mix of automated and community-driven tests.
 Details on testing practices are available in the [Testing Documentation](./docs/tests.md).
 
 ## Support

diff --git a/src/presentation/index.html b/src/presentation/index.html
@@ -9,6 +9,21 @@
   <meta name="description"
     content="Web tool to generate scripts for enforcing privacy & security best-practices such as stopping data collection of Windows and different softwares on it." />
   <link rel="icon" href="/favicon.ico">
+
+  <!-- Security meta tags based on OWASP recommendations, see https://owasp.org/www-project-secure-headers/ci/headers_add.json -->
+  <meta
+    http-equiv="Content-Security-Policy"
+    content="
+      default-src 'self';
+      style-src 'self' 'unsafe-inline';
+      img-src 'self' data:;
+      form-action 'self';
+      object-src 'none';
+      upgrade-insecure-requests;
+      block-all-mixed-content;
+    "
+  >
+  <meta name="referrer" content="no-referrer">
 </head>
 
 <body>