Tootaio/tootaio.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): apply security hardening recommendations from audit

Browse Source 
This commit implements several security enhancements based on the findings of a new security audit report, which has also been added to the documentation.

- **Security Headers:** Adds a strict Content-Security-Policy (CSP) and other security headers (X-Content-Type-Options, Referrer-Policy) via Nuxt route rules.
- **Production Hardening:** Disables Nuxt DevTools in production environments to reduce the attack surface.
- **Mixed Content:** All image assets are now loaded over HTTPS to resolve mixed content issues.
- **Tabnabbing:** Secures `window.open` calls by adding `noopener,noreferrer`.
- **Configuration:** Updates `.gitignore` to ignore all `.env.*` files.
- **Docs:** Adds the full security audit report for reference.
- **Build:** Corrects a case-sensitive import path to ensure cross-platform build compatibility.
This commit is contained in:
xiaomai
2025-11-07 11:15:02 +08:00
parent ccfd268682
commit cc0cb01d28
7 changed files with 222 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/composables/WhatsAppMsgSender.ts
View File

@@ -8,7 +8,7 @@ const _useWhatsAppMsgSender = () => {
const sendMessage = (message: string) => {
const text = encodeURIComponent(message);
const url = `https://api.whatsapp.com/send?phone=${phone}&text=${text}`;
window.open(url, "_blank");
window.open(url, "_blank", "noopener,noreferrer");
};
return {