fix: security headers, DOMPurify sanitization, and localStorage audit#37
fix: security headers, DOMPurify sanitization, and localStorage audit#37teeschima wants to merge 3 commits into
Conversation
…orage usage - Add Content-Security-Policy, HSTS, X-Frame-Options, and other security headers to vercel.json and netlify.toml - Install DOMPurify and create src/lib/sanitize.ts for user content sanitization - Sanitize all user-generated content in LearnerProfile.tsx and VendorDashboard.tsx - Consolidate localStorage token access through zustand persist store in api.ts - Remove redundant direct localStorage calls from user.store.ts
|
@teeschima fix CI issues The Navbar.tsx fix is already in another open PR. Before working on your branch, pull the latest main: git checkout main Then run: If the error is gone, push: If the error still shows after rebasing, apply this fix Remove this useEffect: Replace with onClick on each mobile nav Link: setMobileOpen(false)} ... >Then: Both must exit 0 before pushing. |
|
fix CI issues |
|
Closing this PR. See the reset notice on the other closed PRs: re-read CONTRIBUTING.md and the PR template, follow the context/ files, and pass all CI checks before resubmitting. |
Closes #27
Summary
Implements comprehensive security hardening for the StepFi-Web application across 5 areas.
Changes
1. Security Headers (
vercel.json,netlify.toml)selfsources, with explicit allowlists for styles (unsafe-inlinefor Tailwind/Framer Motion), images (data:), API connections (stepfi-api.onrender.com), and fonts. Setsframe-ancestors 'none'andbase-uri 'self'.DENYnosniffstrict-origin-when-cross-originmax-age=31536000; includeSubDomains; preload2. DOMPurify Sanitization (
src/lib/sanitize.ts)sanitizeText()(strips all HTML) andsanitizeHtml()(safe HTML)vouch.messagein LearnerProfileproduct.name,product.descriptionin VendorDashboardkey.labelin VendorDashboardloan.productin VendorDashboard3. HTTPS Enforcement
4. localStorage Audit
localStorage.getItem('accessToken')with reader that parses the zustand-persisted store (stepfi-user), eliminating duplicate storage keyslocalStorage.setItem/removeItemcalls (zustand persist middleware already handles persistence)5. Subresource Integrity
Verification
npm run buildpasses (tsc + vite build)