Improve security and privacy with strict meta tags

This commit introduces two meta tags to strengthen the application's security posture and enhance user privacy, following best practices and OWASP recommendations. - Add Content-Security-Policy (CSP) to strictly to strictly control which resources the application is allowed, mitigating the risk of code injection attacks such as Cross-Site Scripting (XSS). - Add `referrer` meta tag to prevent the users' browser from sending the page's address, or referrer, when navigating to another site, thereby enhancing user privacy.
undergroundwires · Dec 6, 2023 · ba5b29a · ba5b29a
1 parent daa6230
commit ba5b29a
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 2 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -21,6 +21,20 @@ Upon receiving a security report, the process involves:
 
 ## Security Practices
 
+### Application Security
+
+privacy.sexy adopts a defense in depth strategy to protect users on multiple layers:
+
+- **Link Protection:**
+  privacy.sexy ensures each external link has special attributes for your privacy and security.
+  These attributes block the new site from accessing the privacy.sexy page, increasing your online safety and privacy.
+- **Content Security Policies (CSP):**
+  privacy.sexy actively follows security guidelines from the Open Web Application Security Project (OWASP) at strictest level.
+  This approach protects against attacks like Cross Site Scripting (XSS) and data injection.
+- **Context Isolation:**
+  The desktop application isolates different code sections based on their access level.
+  This separation prevents attackers from introducing harmful code into the app, known as injection attacks.
+
 ### Update Security and Integrity
 
 privacy.sexy benefits from automated update processes including security tests. Automated deployments from source code ensure immediate and secure updates, mirroring the latest source code. This aligns the deployed application with the expected source code, enhancing transparency and trust. For more details, see [CI/CD Documentation](./docs/ci-cd.md).
@@ -29,7 +43,7 @@ Every desktop update undergoes a thorough verification process. Updates are cryp
 
 ### Testing
 
-privacy.sexy employs a comprehensive testing strategy that integrates extensive automated testing with manual community-driven tests.
+privacy.sexy's testing approach includes a mix of automated and community-driven tests.
 Details on testing practices are available in the [Testing Documentation](./docs/tests.md).
 
 ## Support

diff --git a/docs/desktop-vs-web-features.md b/docs/desktop-vs-web-features.md
@@ -35,7 +35,7 @@ The desktop version ensures secure delivery through cryptographic signatures and
 
 > **Note for macOS users:** On macOS, the desktop version's auto-update process involves manual steps due to Apple's code signing costs.
 > Users get notified about updates but might need to complete the installation manually.
-> Your [support through donations](https://github.com/sponsors/undergroundwires) can help improve this process ❤️.
+> Consider [donating](https://github.com/sponsors/undergroundwires) to help improve this process ❤️.
 
 ### Logging
 

diff --git a/src/presentation/index.html b/src/presentation/index.html
@@ -9,6 +9,21 @@
   <meta name="description"
     content="Web tool to generate scripts for enforcing privacy & security best-practices such as stopping data collection of Windows and different softwares on it." />
   <link rel="icon" href="/favicon.ico">
+
+  <!-- Security meta tags based on OWASP recommendations, see https://owasp.org/www-project-secure-headers/ci/headers_add.json -->
+  <meta
+    http-equiv="Content-Security-Policy"
+    content="
+      default-src 'self';
+      style-src 'self' 'unsafe-inline';
+      img-src 'self' data:;
+      form-action 'self';
+      object-src 'none';
+      upgrade-insecure-requests;
+      block-all-mixed-content;
+    "
+  >
+  <meta name="referrer" content="no-referrer">
 </head>
 
 <body>