diff --git a/.jules/sentinel.md b/.jules/sentinel.md new file mode 100644 index 0000000..672838e --- /dev/null +++ b/.jules/sentinel.md @@ -0,0 +1,21 @@ +# Sentinel Journal + +## 2024-07-03 - [Missing Content Security Policy in HTML UI] + +**Vulnerability:** The HTML application (`studio/index.html`) lacked a Content +Security Policy (CSP), leaving it potentially vulnerable to Cross-Site +Scripting (XSS) attacks. Without a CSP, the browser doesn't restrict the +sources from which resources like scripts, styles, and images can be loaded, +potentially allowing malicious scripts to execute. + +**Learning:** Static HTML pages that don't seem to take user input might still +benefit from a CSP to establish defense-in-depth, especially when they might be +deployed as parts of a larger platform or where unexpected data processing +might occur. The application only needs local scripts, CDNJS for font awesome, +and fonts.googleapis.com, making a restrictive CSP easy to define and +implement. + +**Prevention:** Implement a Content Security Policy by default for all HTML web +interfaces, specifying exactly which external domains are authorized to serve +scripts, styles, fonts, and images. Always restrict `default-src` to `'self'` +where possible. diff --git a/.markdownlint.json b/.markdownlint.json new file mode 100644 index 0000000..571893f --- /dev/null +++ b/.markdownlint.json @@ -0,0 +1,19 @@ +{ + "MD013": false, + "MD033": false, + "MD024": false, + "MD041": false, + "MD022": false, + "MD032": false, + "MD009": false, + "MD031": false, + "MD040": false, + "MD004": false, + "MD012": false, + "MD028": false, + "MD036": false, + "MD025": false, + "MD049": false, + "MD029": false, + "MD060": false +} diff --git a/studio/index.html b/studio/index.html index effa77c..2824af4 100644 --- a/studio/index.html +++ b/studio/index.html @@ -4,6 +4,7 @@ RTX⚡ Tech-Debate Viral Poster Studio +