Cavuno
Sign InSign Up
All updates

Security hardening and legal compliance

Strict Content Security Policy headers, nonce-based script protection, XSS prevention, and pre-built legal and compliance pages for every board.

AJ
By Abi Tyas Tunggal and Jack Walsh on

Adds strict Content Security Policy headers, fixes two security vulnerabilities, and ships pre-built legal and compliance pages.

Content Security Policy

  • Strict CSP headers: script-src, style-src, and connect-src directives prevent cross-site scripting (XSS) and injection attacks across all board pages
  • Nonce-based scripts: inline scripts require a per-request cryptographic nonce, blocking unauthorized script execution even if an attacker injects HTML
  • HSTS with preload: HTTP Strict Transport Security ensures all connections use HTTPS, with preload registration for browser-level enforcement

Security fixes

  • XSS via SVG upload: fixed a stored XSS vulnerability where malicious SVG files could execute scripts when rendered as images. All image upload surfaces now sanitize SVG content
  • Webhook signature hardening: improved Stripe webhook signature verification to prevent replay and tampering attacks
  • Data Processing Agreement: a complete DPA page outlining how Cavuno processes data on behalf of board operators
  • Security page: public documentation of encryption, multi-tenant isolation, and infrastructure security practices
  • Subprocessors page: a list of all third-party services that process data, with purpose and location details
  • Default legal pages: every new board now auto-generates terms of service, privacy policy, and cookie policy pages that board owners can customize