Guides

Security

Edit this page

As a non-opinionated framework, SolidStart doesn't enforce any security practices, though it enables enables developers to implement them as needed. It is important to know what are the requirements for your own app and implement the fitting security measures. If at any point you are unsure about the security of your app, or how to achieve something within the constraints of SolidStart reach us on Discord.

Below you will find a few notes on how to establish some measures.

Security Headers

Through the use of a middleware it is possible to tab into the onRequest event handlers and make sure every request going through your servers have the proper security headers set. With this, it is possible to setup headers like Content-Security-Policy, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, among others.

Nonces

When using Content-Security-Policy it is possible to use nonces to allow inline scripts and styles to be executed. SolidStart enables that smoothly in the entry-server.tsx.

By passing generating the nonce within a middleware and storing it in the request.locals object, it is possible to use it in the entry-server.tsx to generate the Content-Security-Policy header.

Cross Request Forgery (CSRF)

There are multiple ways to add CSRF Protection to your SolidStart app. The quickest and most common way is to check the request.referrer header when the HTTP method is POST, PUT, PATCH or DELETE. This can also be achieved through an onRequest middleware.

Cross Site Scripting (XSS)

SolidStart automatically escape inserts and attributes in HTML. The exception is when HTML is inserted via the innerHTML property, which bypasses the escaping. Additionally, it's important to note that <noscript> are also outside of the purview of SolidStart, since those tags and its contents are evaluated even without JavaScript. It is important to sanitize any strings in attributes, especially when inside <noscript> tags.

As a rule-of-thumb it is recommended to avoid injecting HTML into your page as much as possible, make sure the contents of <noscript> are properly sanitized, and add a strict Content Security Policy to your application.

Report an issue with this page