zzstoatzz.io
audio streaming app
plyr.fm
1# Security
2
3Overview of security mechanisms in plyr.fm.
4
5## Authentication
6
7We use **HttpOnly Cookies** for session management to prevent XSS attacks.
8See [Authentication](authentication.md) for details on the OAuth flow, token management, and environment architecture.
9
10For backend implementation details regarding ATProto identity resolution, see [backend/atproto-identity.md](backend/atproto-identity.md).
11
12## Rate Limiting
13
14We enforce application-side rate limits to prevent abuse.
15See [Rate Limiting](rate-limiting.md) for configuration and architecture details.
16
17## HTTP Security Headers
18
19The `SecurityHeadersMiddleware` in `src/backend/main.py` automatically applies industry-standard security headers to all responses:
20
21* **`Strict-Transport-Security` (HSTS):** Enforces HTTPS (Production only). Max-age set to 1 year.
22* **`X-Content-Type-Options: nosniff`:** Prevents browsers from MIME-sniffing a response away from the declared content-type.
23* **`X-Frame-Options: DENY`:** Prevents the site from being embedded in iframes (clickjacking protection).
24* **`X-XSS-Protection: 1; mode=block`:** Enables browser cross-site scripting filters.
25* **`Referrer-Policy: strict-origin-when-cross-origin`:** Controls how much referrer information is included with requests.
26
27## CORS
28
29Cross-Origin Resource Sharing (CORS) is configured to allow:
30* **Localhost:** For development (`http://localhost:5173`).
31* **Production/Staging Domains:** `plyr.fm`, `stg.plyr.fm`, and Cloudflare Pages preview URLs (via regex).
32
33Configuration is managed in `src/backend/config.py` under `FrontendSettings`.