Security hardening: CSP, Referrer Policy, Bunny Fonts, iframe sandbox

[Copilot]

Security audit of remotehack.space — several attack vectors identified and mitigated.

Attack vectors & fixes

Content Security Policy (high)

No CSP existed, leaving the site open to XSS and resource injection. Added a strict CSP <meta> tag:

default-src 'self';
script-src 'self';
style-src 'self' https://fonts.bunny.net;
font-src https://fonts.bunny.net;
img-src 'self' data:;
frame-src https://open.spotify.com;
connect-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self'

Inline scripts blocked a strict CSP (medium)

Two inline <script> blocks (nav active-link highlight, local-time formatting) would have required unsafe-inline, defeating script-src protection.

• Nav script → assets/nav-current.js
• Local-time script → assets/local-time.js
• Template <script> blocks in hack.html and index.html replaced with <span class="local-time"> driven by the new external script

Google Fonts → Bunny Fonts (medium / GDPR)

Every page load was sending user IPs to Google. Swapped fonts.googleapis.com / fonts.gstatic.com for Bunny Fonts — drop-in compatible, GDPR-compliant, no IP logging.

Referrer Policy (low-medium)

Full page URLs were leaking to external sites via Referer header on every outbound click.

<meta name="referrer" content="strict-origin-when-cross-origin">

Spotify iframe sandbox (low)

Embedded iframe had unrestricted browser API access. Added:

sandbox="allow-scripts allow-same-origin allow-presentation"

Player functionality is preserved; top-navigation and popup access are removed.

External link rel (low)

Added rel="noopener noreferrer" to external footer links.

---

Note: X-Frame-Options, X-Content-Type-Options, and frame-ancestors CSP require HTTP response headers and cannot be set via <meta> on GitHub Pages — clickjacking protection at that level would need a proxy (e.g. Cloudflare) in front.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• fonts.googleapis.com
  • Triggering command: /usr/bin/curl curl -s REDACTED;600&family=Space+Mono:wght@400&display=swap (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

would you be able to run a security audit on remotehack.space?

try and compile any attack vectors that we have open.

and then apply fixes for any that you find!

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[benfoxall]

Context: I'm at a talk about strix, and was wondering how copilot compares