servius/sukr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c3299b7747202e4533ba3c9cab198b5865fc1a9
sukr/docs/content/security.md
Timothy DeHerrera 46c00c7729 docs: migrate content files to TOML frontmatter 
Migrate all 17 docs/content/ files from --- YAML to +++ TOML
frontmatter delimiters and key = value syntax.

Update 8 embedded frontmatter examples in 7 documentation pages
to match (configuration, content-organization, getting-started,
security, sections, sitemap, feeds, templates).

Update configuration.md frontmatter reference table: add draft
and aliases fields, correct date type from string to date.
2026-02-14 06:57:55 -07:00

102 lines
3.1 KiB
Markdown
Raw Blame History

+++
title = "Security"
description = "Content trust model and deployment security guidance"
weight = 90
+++
# Security
sukr is a **build-time only** compiler with no runtime attack surface. Security considerations focus on content processing and deployment.
## Trust Model
| Source | Trust Level | Rationale |
| :------------------- | :--------------- | :--------------------------------------------------- |
| Markdown content | **Untrusted** | May come from contributors, CMS, or external sources |
| TOML frontmatter | **Untrusted** | Parsed from content files |
| Templates | **Semi-trusted** | User-controlled but typically from known sources |
| sukr binary | **Trusted** | Compiled from audited Rust code |
| Tree-sitter grammars | **Trusted** | Compiled into the binary |
## Content Processing
### HTML Passthrough
Per the CommonMark specification, raw HTML in Markdown is passed through to output:
```markdown
<script>alert('hello')</script>
```
**If your content comes from untrusted sources**, review it before building. sukr does not sanitize HTML — this is intentional to preserve legitimate use cases.
### URL Escaping
Link and image URLs are escaped to prevent attribute injection attacks:
```markdown
<!-- This is safe — quotes are escaped -->
[click me](<"%3E%3Cscript%3Ealert(1)%3C/script%3E>)
```
Produces escaped output, not executable script.
### Template Auto-Escaping
Tera templates auto-escape variables by default:
- `{{ title }}` — escaped (safe)
- `{{ page.description }}` — escaped (safe)
- `{{ content | safe }}` — intentionally unescaped (pre-rendered HTML)
## Deployment Security
### Content Security Policy
For maximum protection when serving sukr-generated sites, configure CSP headers on your web server or CDN.
**Recommended policy for sukr sites:**
```
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'none'; frame-ancestors 'none'
```
This policy:
- ✅ Allows styles (including inline for syntax highlighting)
- ✅ Allows images and data URIs (for Mermaid SVGs)
- ✅ Blocks all JavaScript execution
- ✅ Prevents clickjacking
### Platform-Specific Headers
**Cloudflare Pages** (`public/_headers`):
```
/*
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'none'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
```
**Netlify** (`public/_headers`):
```
/*
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'none'
X-Content-Type-Options: nosniff
```
**Nginx**:
```nginx
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'none'";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
```
## Reporting Issues
Report security issues via [security@sukr.io](mailto:security@sukr.io) or GitHub Security Advisories.
Reference in New Issue View Git Blame Copy Permalink