Cavuno
Sign InStart for free
All updates

Security hardening and legal compliance

Strict Content Security Policy headers, nonce-based script protection, XSS prevention, and pre-built legal and compliance pages for every board.

Abi Tyas TunggalAJack WalshJ
By Abi Tyas Tunggal and Jack Walsh on

Adds strict Content Security Policy headers, fixes two security vulnerabilities, and ships pre-built legal and compliance pages.

Content Security Policy

  • Strict CSP headers: script-src, style-src, and connect-src directives prevent cross-site scripting (XSS) and injection attacks across all board pages
  • Nonce-based scripts: inline scripts require a per-request cryptographic nonce, blocking unauthorized script execution even if an attacker injects HTML
  • HSTS with preload: HTTP Strict Transport Security ensures all connections use HTTPS, with preload registration for browser-level enforcement

Security fixes

  • XSS via SVG upload: fixed a stored XSS vulnerability where malicious SVG files could execute scripts when rendered as images. All image upload surfaces now sanitize SVG content
  • Webhook signature hardening: improved Stripe webhook signature verification to prevent replay and tampering attacks
  • Data Processing Agreement: a complete DPA page outlining how Cavuno processes data on behalf of board operators
  • Security page: public documentation of encryption, multi-tenant isolation, and infrastructure security practices
  • Subprocessors page: a list of all third-party services that process data, with purpose and location details
  • Default legal pages: every new board now auto-generates terms of service, privacy policy, and cookie policy pages that board owners can customize