Security Configuration

Security Configuration

This document covers the security hardening applied to helminfosec.com and the Cloudflare configuration required to fully resolve all Security Scorecard findings.

Changes Made in This Repository

1. Self-Hosted Fonts (fixes: Subresource Integrity)

Google Fonts was removed and Inter is now served directly from /assets/fonts/. This eliminates the external dependency that triggered the SRI finding.

Files added/changed:

  • assets/fonts/inter-latin-{400,500,600,700,800}-normal.woff2 — font files
  • _sass/_fonts.scss@font-face declarations
  • assets/css/main.scss — imports _fonts.scss
  • _includes/head.html — Google Fonts <link> tags removed

2. Extracted Inline Scripts (enables strict CSP)

Inline <script> blocks were moved to external files so the Content Security Policy can use script-src 'self' without needing 'unsafe-inline'.

Files added/changed:

  • assets/js/nav.js — header scroll + mobile nav toggle
  • assets/js/contact.js — contact page subject-banner logic
  • _includes/header.html — inline script removed; loaded via default layout
  • _layouts/default.html<script src="/assets/js/nav.js" defer> added
  • contact.html — inline script replaced with <script src="/assets/js/contact.js" defer>

Required Cloudflare Configuration

The remaining three findings (HSTS, CSP, X-Content-Type-Options) require HTTP response headers that GitHub Pages cannot set. Configure these in Cloudflare.

Step-by-step: Add Security Headers via Transform Rules

  1. Log in to the Cloudflare dashboard
  2. Select the helminfosec.com zone
  3. Go to Rules → Transform Rules → Modify Response Header
  4. Click Create rule
  5. Set Rule name: Security Headers
  6. Under If, select: All incoming requests (or hostname = helminfosec.com)
  7. Under Then, choose Set for each header below
  8. Click Deploy

Headers to Add

Header Value
Strict-Transport-Security max-age=31536000; includeSubDomains; preload
X-Content-Type-Options nosniff
X-Frame-Options DENY
Referrer-Policy strict-origin-when-cross-origin
Content-Security-Policy (see below)

Content Security Policy

default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'

Directive notes:

  • script-src 'self' — no inline scripts remain after this PR; all JS is in /assets/js/
  • style-src 'unsafe-inline' — required because inline style="..." attributes are used throughout the site (footer, cards, etc.); can be tightened by refactoring to CSS classes
  • img-src 'self' data: — all images are self-hosted; data: covers any inline SVG/base64
  • frame-ancestors 'none' — prevents the site from being embedded in iframes (clickjacking)
  • form-action 'self' — no HTML forms submit to external services

HSTS Preload

After deploying the Strict-Transport-Security header, submit the domain for HSTS preloading at https://hstspreload.org to maximise protection.

Security Scorecard Findings — Resolution Summary

Finding Resolution
Unsafe Implementation of Subresource Integrity Fonts self-hosted; no external resources loaded
Website Does Not Implement HSTS Best Practices Cloudflare Transform Rule: Strict-Transport-Security
Content Security Policy (CSP) Missing Cloudflare Transform Rule: Content-Security-Policy
Website does not implement X-Content-Type-Options Best Practices Cloudflare Transform Rule: X-Content-Type-Options: nosniff