Skip to content

Feat/security audit infinite scroll csp#334

Open
Emeka-12 wants to merge 5 commits intorinafcode:mainfrom
Emeka-12:feat/security-audit-infinite-scroll-csp
Open

Feat/security audit infinite scroll csp#334
Emeka-12 wants to merge 5 commits intorinafcode:mainfrom
Emeka-12:feat/security-audit-infinite-scroll-csp

Conversation

@Emeka-12
Copy link
Copy Markdown

@Emeka-12 Emeka-12 commented Apr 28, 2026

PR: Security Headers, Audit Trail, Infinite Scroll & Content Security Policy

Closes #252 — Security Headers

  • Added src/middleware/security.ts with buildSecurityHeaders / applySecurityHeaders utilities
  • Headers applied on every route via src/middleware.ts: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy, HSTS (HTTPS only), Report-To, NEL
  • Static header fallback added to next.config.ts
  • New POST /api/security/reporting endpoint accepts NEL / Report-To violation reports
  • 2 unit tests — critical headers present, HSTS only over HTTPS

Commit: feat(security): add baseline security headers and reporting endpoint

Closes #256 — Audit Trail Logging

  • src/lib/audit/ — typed AuditLogEntry schema, in-memory store (capped at 5,000 entries), full-text + filtered query helper
  • src/middleware/audit.tslogAuditMutation() helper records actor, IP, path, method, status, and metadata
  • Wired into feature-flag, notes, and bookmarks routes to log every create / update / delete automatically
  • GET /api/admin/audit — searchable, paginated query endpoint
  • src/pages/admin/audit.tsx — admin viewer with summary cards and filterable table
  • 4 unit tests — append, filter by action, filter by search term, respect limit

Commit: feat(audit): add audit trail logging middleware, store, API, and admin viewer

Closes #257 — Infinite Scroll Implementation

  • src/hooks/useInfiniteScroll.tsIntersectionObserver-based hook with loading state, error capture, and manual loadMore fallback
  • src/components/InfiniteList.tsx — generic <InfiniteList<T>> combining react-window FixedSizeList + react-virtualized-auto-sizer with the hook; includes loading spinner, "Load more" button, and error/retry UI
  • 4 unit tests — initial state, loading during async, error capture, no-op when hasNextPage is false

Commit: feat(ui): implement useInfiniteScroll hook and InfiniteList component with virtual scroll

Closes #259 — Content Security Policy

  • src/middleware/csp.ts — per-request nonce via crypto.getRandomValues, strict policy: default-src 'self', nonce-gated script-src / style-src, object-src 'none', frame-ancestors 'none', report-uri /api/security/reporting, upgrade-insecure-requests
  • Chained after security headers in src/middleware.ts — both apply on every response
  • X-Nonce response header set for server components to read
  • 7 unit tests — nonce uniqueness, nonce in header, no unsafe-inline in strict mode, frame-ancestors none, report-uri present, object-src none

Closes #256

@drips-wave
Copy link
Copy Markdown

drips-wave Bot commented Apr 28, 2026

@Emeka-12 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

@RUKAYAT-CODER
Copy link
Copy Markdown
Contributor

RUKAYAT-CODER commented Apr 28, 2026

Kindly resolve conflict

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Content Security Policy Infinite Scroll Implementation Audit Trail Logging Security Headers

3 participants

@Emeka-12 @RUKAYAT-CODER @KingFRANKHOOD