zzstoatzz.io / plyr.fm
music on atproto plyr.fm
fork atom
plyr.fm / docs / security.md
at 2025.1209.191815 1.6 kB view raw view code

Security#

Overview of security mechanisms in plyr.fm.

Authentication#

We use HttpOnly Cookies for session management to prevent XSS attacks. See Authentication for details on the OAuth flow, token management, and environment architecture.

For backend implementation details regarding ATProto identity resolution, see backend/atproto-identity.md.

Rate Limiting#

We enforce application-side rate limits to prevent abuse. See Rate Limiting for configuration and architecture details.

HTTP Security Headers#

The SecurityHeadersMiddleware in src/backend/main.py automatically applies industry-standard security headers to all responses:

  • Strict-Transport-Security (HSTS): Enforces HTTPS (Production only). Max-age set to 1 year.
  • X-Content-Type-Options: nosniff: Prevents browsers from MIME-sniffing a response away from the declared content-type.
  • X-Frame-Options: DENY: Prevents the site from being embedded in iframes (clickjacking protection).
  • X-XSS-Protection: 1; mode=block: Enables browser cross-site scripting filters.
  • Referrer-Policy: strict-origin-when-cross-origin: Controls how much referrer information is included with requests.

CORS#

Cross-Origin Resource Sharing (CORS) is configured to allow:

  • Localhost: For development (http://localhost:5173).
  • Production/Staging Domains: plyr.fm, stg.plyr.fm, and Cloudflare Pages preview URLs (via regex).

Configuration is managed in src/backend/config.py under FrontendSettings.