This document describes how ohtodev addresses the OWASP Top 10 for a client-side SPA (no backend, no authentication).
| OWASP | Risk | Mitigation |
|---|---|---|
| A01 Broken Access Control | N/A | Static site; no auth or privileged routes. All content is public by design. |
| A02 Cryptographic Failures | N/A | No sensitive data stored or transmitted. Theme preference in localStorage is non-sensitive. |
| A03 Injection (XSS) | Low | React escapes output by default. No dangerouslySetInnerHTML or raw HTML from user input. User input in demos (e.g. regex) is rendered as text. |
| A04 Insecure Design | — | No server, no auth, no payment. Attack surface is limited to client-side. |
| A05 Security Misconfiguration | Addressed | CSP and security-related meta tags in index.html. Dependencies audited in CI (npm run audit). |
| A06 Vulnerable and Outdated Components | Addressed | npm audit in CI; run npm audit and npm update regularly. Consider Dependabot. |
| A07 Identification and Authentication Failures | N/A | No authentication. |
| A08 Software and Data Integrity | Addressed | Dependencies from npm with lockfile (package-lock.json). No unsigned or inline CDN scripts in production build. |
| A09 Security Logging and Monitoring | — | Client-only; no server logs. Hosting provider (e.g. GitHub Pages) may provide access logs. |
| A10 SSRF | N/A | No server-side requests. Only client-side fetch to GitHub API for star count. |
- Content-Security-Policy (CSP) meta tag: restricts script, style, font, and connect sources;
frame-ancestors 'none';base-uri 'self';form-action 'none'. - X-Content-Type-Options: nosniff: reduces MIME sniffing.
- Referrer-Policy: strict-origin-when-cross-origin: limits referrer leakage.
- External links: all
target="_blank"links userel="noopener noreferrer"to avoid tab-napping and referrer leaks. - Tests: security-focused tests (CSP present, external link attributes) in the test suite; run with
npm test.
GitHub Pages does not allow custom HTTP headers. The CSP and other security meta tags in index.html apply when the page is served. For stricter header-based CSP (e.g. on your own server or a platform that supports headers), use the same policy as an HTTP response header and consider removing or relaxing the meta tag to avoid duplicate policies.
Please report security issues via GitHub Security Advisories or by opening a private security issue if preferred.