Skip to content

Security Best Practices

Ensuring the long-term security of the FiNAN website requires adherence to a set of best practices and regular maintenance.

Security Checklist

The following checklist is maintained within security.config.js and should be reviewed periodically.

Content Security Policy implemented: Ensures only authorized content sources are loaded.
Security headers configured: Protects against common web vulnerabilities.
Environment variables secured: Sensitive keys are not exposed to the client.
No exposed sensitive files: Git and build configurations exclude private files.
Dependencies vulnerability-free: Regular audits of npm packages.

Production Considerations

HTTPS Enforcement: Unleash the Strict-Transport-Security header in security.config.js for production builds.
CSP Refinement: Monitor network traffic to see if the broad *.cloudfront.net wildcard in the CSP can be narrowed to specific distribution IDs used by your Ghost CMS instance.

Environment Variables

We use .env files to manage sensitive configuration.

Client-side (PUBLIC_): Only variables prefixed with PUBLIC_ are exposed to the browser.
Server-side: All other variables are kept secret and only available during the build process or server-side rendering.

Do not commit .env files to the repository. Use .env.example to document required variables without exposing values.

Form Handling and Input

While the site is largely static, any future dynamic forms (e.g., contact forms) must adhere to these rules:

Validation: Always validate input on both the client (for UX) and the server (for security).
Sanitization: Sanitize user inputs to prevent injection attacks before processing or storing data.
CSRF Protection: If implementing stateful forms, ensure Cross-Site Request Forgery tokens are used.

Dependency Management

Run pnpm audit regularly to identify vulnerabilities in dependencies.
Keep Astro and other core libraries updated to their latest stable versions to benefit from security patches.