Skip to content

SECURITY_README.md

Latest commit

Β 

History

History
443 lines (333 loc) Β· 12.5 KB

SECURITY_README.md

File metadata and controls

443 lines (333 loc) Β· 12.5 KB

Security Documentation Index

Last Updated: November 15, 2025 Version: 1.0.0 Target Audience: Development team, security reviewers

This directory contains comprehensive security guidance for the Sonar Quiz System offline browser application.

πŸ“š Document Structure

1. SECURITY_BEST_PRACTICES.md (55 KB) - Read This First

Purpose: Comprehensive reference guide covering all security areas

Contents:

  • Executive summary
  • 6 detailed security areas with implementation patterns:
    1. Password configuration & environment variables
    2. XSS prevention (Safe DOM manipulation)
    3. Browser encryption (Web Crypto API)
    4. Rate limiting (Client-side authentication)
    5. Timing attack prevention (Constant-time comparison)
    6. Cross-tab message validation (BroadcastChannel security)
  • Security considerations for each area
  • Browser compatibility matrices
  • Implementation priority (Phase 1-3)
  • Testing & validation checklist
  • References & resources

Best For: Understanding the "why" behind each security measure

Time to Read: 30-45 minutes

2. SECURITY_IMPLEMENTATION_GUIDE.md (20 KB) - Copy-Paste Ready Code

Purpose: Practical implementation patterns you can use directly

Contents:

  • Quick start checklist
  • Implementation patterns for each security area
  • Simplified, focused code examples
  • Setup instructions for each feature
  • Integration checklist
  • Deployment verification steps
  • Common patterns (Safe Input β†’ Store β†’ Display, Rate Limited Actions, etc.)
  • Troubleshooting guide

Best For: Developers implementing security features

Time to Read: 20-30 minutes

3. SECURITY_QUICK_REFERENCE.md (11 KB) - One-Page Checklist

Purpose: Quick reference for daily development work

Contents:

  • Developer security checklist (before each commit)
  • Code snippets for common patterns (βœ“ DO vs βœ— DON'T)
  • Security checklist by phase
  • Common security patterns (4 key patterns)
  • Dangerous code patterns (red flags)
  • Security decision tree
  • Browser compatibility matrix
  • Pre-commit hook template
  • Quick troubleshooting

Best For: Developers during code review and implementation

Time to Read: 5-10 minutes (reference card)

4. SECURITY_TEST_EXAMPLES.md (30 KB) - Test Code & Examples

Purpose: Complete test suite you can copy into your project

Contents:

  • Testing setup & configuration
  • Test 1: XSS Prevention (Lit safety, input sanitization)
  • Test 2: Rate Limiting (blocking, exponential backoff)
  • Test 3: Timing-Safe Comparison (constant-time verification)
  • Test 4: Web Crypto API (encryption/decryption)
  • Test 5: BroadcastChannel Signing (message validation)
  • Running security tests
  • Coverage targets
  • CI/CD integration
  • Real-world scenarios in each test

Best For: Writing and validating security tests

Time to Read: 25-35 minutes

πŸš€ Quick Start Path

For New Team Members (1 hour)

  1. Read: SECURITY_QUICK_REFERENCE.md (5 min)
  2. Skim: SECURITY_BEST_PRACTICES.md sections 1-3 (15 min)
  3. Reference: SECURITY_IMPLEMENTATION_GUIDE.md as needed (40 min)

For Implementing New Security Feature (2-3 hours)

  1. Read: Relevant section in SECURITY_BEST_PRACTICES.md
  2. Copy: Code from SECURITY_IMPLEMENTATION_GUIDE.md
  3. Test: Using SECURITY_TEST_EXAMPLES.md
  4. Check: SECURITY_QUICK_REFERENCE.md before committing

For Code Review (30 minutes)

  1. Open: SECURITY_QUICK_REFERENCE.md
  2. Check: "Dangerous Code Patterns" section
  3. Verify: All items on developer checklist

πŸ” Security Areas Covered

Area Best Practices Implementation Quick Ref Tests
1. Environment Variables βœ“ βœ“ βœ“ Setup only
2. XSS Prevention βœ“ βœ“ βœ“ βœ“
3. Encryption βœ“ βœ“ βœ“ βœ“
4. Rate Limiting βœ“ βœ“ βœ“ βœ“
5. Timing Attacks βœ“ βœ“ βœ“ βœ“
6. Cross-Tab Messages βœ“ βœ“ βœ“ βœ“

πŸ“‹ Pre-Implementation Checklist

Before implementing any security feature:

  • Read relevant section in SECURITY_BEST_PRACTICES.md
  • Review browser compatibility (all target browsers listed)
  • Copy code from SECURITY_IMPLEMENTATION_GUIDE.md
  • Adapt tests from SECURITY_TEST_EXAMPLES.md
  • Run npm run test (all tests pass)
  • Run npm run lint (no errors)
  • Run npm run format:check (code formatted)
  • Review code with peer using SECURITY_QUICK_REFERENCE.md
  • Check against "Dangerous Code Patterns"
  • Verify .env files not committed

🎯 Implementation Priority

Phase 1: Essential (Week 1)

For immediate deployment

  1. βœ“ Environment variables (.env, Vite define)
  2. βœ“ XSS prevention (Lit templates, sanitizeInput)
  3. βœ“ Input validation (length limits, type checks)

Checklist:

npm run build && npm run audit:secrets  # Verify no secrets exposed
npm run test -- xss                     # XSS tests pass

Phase 2: Important (Week 2-3)

For production hardening

  1. Rate limiting (max 5 attempts/minute)
  2. Timing-safe comparison (constantTimeCompare)
  3. Message validation setup

Checklist:

npm run test -- rate-limiter            # Rate limiting tests
npm run test -- timing-safe             # Timing tests
npm run test                            # All tests pass

Phase 3: Enhanced (Week 4+)

For maximum security

  1. sessionStorage encryption (optional)
  2. IndexedDB encryption (optional)
  3. BroadcastChannel signing (for multi-window)

Checklist:

npm run test -- crypto                  # Crypto tests
npm run test -- broadcast               # Broadcast tests
npm run build && npm run size-check     # Verify bundle size

πŸ§ͺ Testing & Validation

Local Development

# Run all security tests
npm run test -- tests/security

# Run specific test area
npm run test -- xss                     # XSS tests only
npm run test -- rate-limiter            # Rate limiter tests
npm run test -- timing-safe             # Timing tests

# Watch mode for development
npm run test:watch -- tests/security

# Check code quality
npm run lint
npm run format:check
npm run build

Before Committing

# Run everything
npm run test
npm run lint
npm run format:check
npm run build
npm run audit:secrets

# Verify .env not in git
git check-ignore .env  # Should exit 0

Pre-Deploy Checklist

npm run test          # All tests pass
npm run lint          # Zero errors
npm run build         # Successful build
npm run audit:secrets # No secrets in bundle
npm run size-check    # Under 25KB gzipped

πŸ” Security Review Checklist

Use this when reviewing security-related PRs:

Code Review

  • No hardcoded credentials (check for: password, secret, apikey, token)
  • No console.log() of sensitive data
  • No innerHTML with user input
  • No eval() or Function() with untrusted data
  • All user input sanitized
  • Rate limiting on sensitive actions
  • Timing-safe comparison for secrets
  • .env file NOT committed
  • Environment variables injected at build time only

Testing

  • All security tests passing
  • New tests for new security features
  • Edge cases covered
  • Error handling tested
  • Real-world scenarios tested

Build & Deployment

  • Build succeeds: npm run build
  • No errors: npm run lint
  • Secrets audit passes: npm run audit:secrets
  • Bundle size OK: npm run size-check
  • All tests pass: npm run test

πŸ“– Key Concepts

XSS Prevention

Why: Attackers can inject malicious scripts through user input How: Lit auto-escapes, sanitizeInput removes dangerous patterns, textContent for plain text Test: See SECURITY_TEST_EXAMPLES.md - XSS tests

Rate Limiting

Why: Prevents brute-force attacks on authentication How: Track attempts, block after threshold, exponential backoff Test: See SECURITY_TEST_EXAMPLES.md - Rate Limiter tests

Timing Attacks

Why: Different timing for different answers reveals secret structure How: constantTimeCompare always checks all bytes Test: See SECURITY_TEST_EXAMPLES.md - Timing-Safe Comparison tests

Encryption (Optional)

Why: Data at-rest protection if device is stolen How: Web Crypto API with AES-GCM and PBKDF2 derivation Test: See SECURITY_TEST_EXAMPLES.md - Crypto tests

Message Validation

Why: Prevent tampering/replay attacks between browser tabs How: HMAC signatures + nonce + timestamp validation Test: See SECURITY_TEST_EXAMPLES.md - Broadcast Channel tests

🌐 Browser Compatibility

All security features are supported in target browsers without polyfills:

Browser Version Support Notes
Chrome β‰₯96 βœ“ Full Includes Web Components
Firefox β‰₯102 βœ“ Full Full Web Crypto support
Edge β‰₯96 βœ“ Full Chromium-based
Safari β‰₯14 βœ“ Full Web Crypto available

⚑ Performance Impact

Security measures add minimal overhead:

Feature Impact Notes
Input sanitization <1ms Per input event
XSS prevention <1ms Lit built-in
Rate limiting <1ms In-memory check
Constant-time compare <10ms Full string check
Encryption (optional) 50-200ms PBKDF2 intentionally slow
HMAC signing <5ms Per message

Result: No user-visible performance degradation

🚨 Critical Reminders

Never Do This

// NEVER commit this
password = 'hardcoded123';
const SECRET = process.env.MY_SECRET;
element.innerHTML = userInput;
if (userCode === CORRECT_CODE) { /* timing leak */ }

Always Do This

// ALWAYS use this pattern
// .env file (DO NOT COMMIT)
// vite.config.ts
define: {
  __UNLOCK_HASH__: JSON.stringify(env.UNLOCK_HASH)
}

// Usage
const safe = sanitizeInput(userInput);
html`<div>${safe}</div>`;  // Lit auto-escapes

if (constantTimeCompare(userHash, storedHash)) { /* safe */ }

πŸ“ž Getting Help

Questions About...

  • Best Practices: Read SECURITY_BEST_PRACTICES.md
  • Implementation: Check SECURITY_IMPLEMENTATION_GUIDE.md
  • Code Review: Use SECURITY_QUICK_REFERENCE.md
  • Testing: See SECURITY_TEST_EXAMPLES.md

Reporting Security Issues

  1. Do NOT create public GitHub issue
  2. Use GitHub Security Advisory
  3. Email security team privately
  4. Follow responsible disclosure (90 days)

For Implementation Help

  1. Copy code from SECURITY_IMPLEMENTATION_GUIDE.md
  2. Adapt tests from SECURITY_TEST_EXAMPLES.md
  3. Review patterns in SECURITY_QUICK_REFERENCE.md
  4. Ask team in code review

πŸ“š Related Documents

  • CLAUDE.md: Project constitution and constraints
  • System_Requirements.md: Functional requirements
  • Technical_Design.md: Architecture overview
  • Contracts.md: Frozen type definitions
  • Delivery_Plan.md: 8-phase plan
  • demo/README.md: Manual testing guide

πŸ”„ Maintenance & Updates

This documentation should be reviewed:

  • Quarterly (every 3 months)
  • When new browser features arrive
  • When security vulnerabilities discovered
  • Before each major release

Last Review: November 15, 2025 Next Review: February 15, 2026

Document Statistics

Document Size Topics Code Examples
SECURITY_BEST_PRACTICES.md 55 KB 6 areas 15+
SECURITY_IMPLEMENTATION_GUIDE.md 20 KB Setup + patterns 20+
SECURITY_QUICK_REFERENCE.md 11 KB Checklist + reference 8
SECURITY_TEST_EXAMPLES.md 30 KB 5 test suites 50+
Total 116 KB Complete coverage 90+ examples

Summary

You now have:

βœ… Comprehensive security guide (SECURITY_BEST_PRACTICES.md) βœ… Implementation-ready code (SECURITY_IMPLEMENTATION_GUIDE.md) βœ… Quick reference card (SECURITY_QUICK_REFERENCE.md) βœ… Complete test suite (SECURITY_TEST_EXAMPLES.md) βœ… This index (SECURITY_README.md)

Total: 116 KB of practical, actionable security guidance for your offline browser application.

Start Here

  1. First time? β†’ Read SECURITY_QUICK_REFERENCE.md (5 min)
  2. Need to understand why? β†’ Read SECURITY_BEST_PRACTICES.md (30 min)
  3. Ready to code? β†’ Use SECURITY_IMPLEMENTATION_GUIDE.md + SECURITY_TEST_EXAMPLES.md (2-3 hours)
  4. Reviewing code? β†’ Use SECURITY_QUICK_REFERENCE.md checklist (5 min per PR)

Version: 1.0.0 Status: Complete & Production-Ready Last Updated: November 15, 2025 Maintained By: Security Team

Questions? Check the relevant section above or use the "Getting Help" section.