Skip to main content

Web Security Configuration

Overview

This document records the web security configuration for chrisnewcomb.name, covering HTTP security headers, Content Security Policy, DNS security, and TLS settings. All configuration is managed via the Cloudflare dashboard.

Content Security Policy (CSP)

CSP headers restrict which scripts, styles, and resources can load on the site, preventing XSS and injection attacks.

Configuration

Set via Cloudflare Transform Rules (Modify Response Headers):

HeaderValue
Content-Security-Policydefault-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://giscus.app; frame-src https://giscus.app; object-src 'none'; base-uri 'self'

Notes

The unsafe-inline and unsafe-eval directives are required by Docusaurus for inline scripts and React hydration. The frame-src allows Giscus comments (GitHub Discussions iframe). No external CDN scripts are loaded, so no additional script-src origins are needed.

How to configure

  1. Go to Cloudflare dashboard, select chrisnewcomb.name
  2. Rules, Transform Rules, Modify Response Header
  3. Create a rule matching all requests (http.host eq "chrisnewcomb.name")
  4. Add each header below as "Set" (static value)

Security Headers

Required Headers

Configure all of the following via the same Cloudflare Transform Rule:

HeaderValuePurpose
X-Content-Type-OptionsnosniffPrevents MIME type sniffing
X-Frame-OptionsDENYPrevents clickjacking (backup for CSP frame-ancestors)
Referrer-Policystrict-origin-when-cross-originControls referrer information leakage
Permissions-Policycamera=(), microphone=(), geolocation=(), payment=()Disables unnecessary browser APIs
X-XSS-Protection0Disabled per modern best practice (CSP handles XSS)

HSTS (HTTP Strict Transport Security)

Managed by Cloudflare automatically when SSL/TLS is set to Full (Strict). Verify in Cloudflare dashboard under SSL/TLS, Edge Certificates, and confirm "Always Use HTTPS" is enabled.

Subresource Integrity (SRI)

No external scripts are loaded by the Docusaurus site. All JavaScript and CSS is built and served from the same origin. SRI is not applicable unless external CDN resources are added in the future.

If external scripts are added, integrity hashes must be included. See the Plugin Policy for the approval process.

DNS Security

DNSSEC

Enable DNSSEC in Cloudflare dashboard under DNS, Settings. Cloudflare manages the signing keys. After enabling, add the DS record to the domain registrar as instructed by Cloudflare.

CAA Records

CAA (Certificate Authority Authorization) records restrict which certificate authorities can issue certificates for the domain. Add the following DNS records:

TypeNameContent
CAAchrisnewcomb.name0 issue "digicert.com"
CAAchrisnewcomb.name0 issue "letsencrypt.org"
CAAchrisnewcomb.name0 issuewild ";"

The issuewild ";" prevents wildcard certificate issuance by any CA.

DMARC/SPF/DKIM

If email is ever sent from the chrisnewcomb.name domain, configure:

TypeNameContent
TXT_dmarcv=DMARC1; p=reject; rua=mailto:dmarc@chrisnewcomb.name
TXT@v=spf1 -all (if no email is sent from this domain)

Currently no email is sent from this domain. The SPF -all record prevents spoofing.

TLS Configuration

Minimum TLS Version

Set to TLS 1.2 minimum in Cloudflare dashboard under SSL/TLS, Edge Certificates, Minimum TLS Version.

SSL/TLS Mode

Set to "Full (Strict)" in Cloudflare dashboard under SSL/TLS, Overview. This ensures end-to-end encryption between Cloudflare and the origin.

Certificate Transparency

Cloudflare automatically publishes certificates to CT logs. No additional configuration needed.

Always Use HTTPS

Ensure "Always Use HTTPS" is enabled under SSL/TLS, Edge Certificates. This redirects all HTTP requests to HTTPS.

Verification

After configuring headers, verify using:

Review Schedule

This document should be reviewed when:

  • New external scripts or resources are added to the site
  • Cloudflare SSL/TLS settings are modified
  • Domain registrar or DNS provider changes
  • Quarterly as part of general security review

Related Content