Skip to content
FiNAN Logo FiNAN Docs

Security Configuration

The FiNAN website implements a robust security configuration primarily driven by Content Security Policy (CSP) and HTTP security headers. This configuration is centralized in security.config.js and applied via the Astro configuration.

centralized Configuration

Section titled “centralized Configuration”

The security logic is decoupled from the main Astro configuration to ensure maintainability and clarity.

File: security.config.js

Section titled “File: security.config.js”

This file is the single source of truth for all security-related constants. It exports:

  1. securityHeaders: An object containing HTTP headers like X-Frame-Options and X-Content-Type-Options.
  2. contentSecurityPolicy: A structural representation of the CSP directives.
  3. cspString: A helper export that converts the CSP object into a correctly formatted string for the header.

File: astro.config.mjs

Section titled “File: astro.config.mjs”

The Astro configuration imports the settings from security.config.js and applies them using a custom Vite plugin named security-headers.

astro.config.mjs
import { cspString, securityHeaders as headers } from './security.config.js';


function securityHeaders() {
  return {
    name: 'security-headers',
    configureServer(server) {
      server.middlewares.use((req, res, next) => {
        // Apply CSP and other headers
        res.setHeader('Content-Security-Policy', cspString);
        Object.entries(headers).forEach(([header, value]) => {
          res.setHeader(header, value);
        });
        next();
      });
    },
  };
}

Content Security Policy (CSP)

Section titled “Content Security Policy (CSP)”

The Content Security Policy is a critical layer of defense against Cross-Site Scripting (XSS) and data injection attacks.

Key Directives

Section titled “Key Directives”
  • default-src: Restricted to 'self' by default.
  • img-src: This is the most permissive directive to support the Ghost CMS integration. It allows images from:
    • 'self'
    • data: (for inline optimizations)
    • Ghost ecosystem (*.ghost.io, *.ghost.org, *.ghostcdn.com)
    • *.cloudfront.net (Used by Ghost Pro for asset delivery)
    • images.unsplash.com (Used by Ghost for stock photos)
  • script-src: Currently allows 'unsafe-inline' to support necessary inline scripts (e.g., Google Fonts optimization).
  • style-src: Allows 'unsafe-inline' which is currently required for Tailwind CSS integration.

HTTP Security Headers

Section titled “HTTP Security Headers”

Beyond CSP, the application enforces several standard security headers:

  • X-Frame-Options: DENY: Prevents the site from being embedded in iframes (clickjacking protection).
  • X-Content-Type-Options: nosniff: Prevents the browser from MIME-sniffing a response away from the declared content-type.
  • Referrer-Policy: strict-origin-when-cross-origin: Controls how much referrer information is included with requests.
  • Permissions-Policy: Explicitly disables powerful browser features like camera, microphone, and geolocation.