From ed4467747819fba53dfb0819a80b9c4899856b02 Mon Sep 17 00:00:00 2001
From: rishab11250 <rishab.chandgothia.cg@gmail.com>
Date: Sun, 31 May 2026 23:10:52 +0530
Subject: [PATCH 1/3] feat(security): add Content-Security-Policy and security
 headers via Helmet

Add comprehensive security headers via the Helmet middleware, including a
strict Content-Security-Policy with per-request nonces for inline scripts.

Security headers set on every response:
- Content-Security-Policy (nonce-based, blocks injected scripts)
- X-Frame-Options: SAMEORIGIN (clickjacking prevention)
- X-Content-Type-Options: nosniff
- Strict-Transport-Security
- Referrer-Policy: no-referrer

Inline event handlers (onclick) converted to addEventListener for CSP compliance.

Closes #59
---
 frontend/leaderboard.html  | 16 +++++--
 frontend/registration.html | 14 ++++--
 package-lock.json          | 34 +++++++++++++-
 package.json               |  6 ++-
 server.js                  | 90 +++++++++++++++++++++++++++++++++++---
 5 files changed, 147 insertions(+), 13 deletions(-)

diff --git a/frontend/leaderboard.html b/frontend/leaderboard.html
index 09fd96b6..dee9c7b5 100644
--- a/frontend/leaderboard.html
+++ b/frontend/leaderboard.html
@@ -128,7 +128,6 @@ <h1 class="page-title">Leaderboard</h1>
           <button
             id="load-more-btn"
             class="btn btn-secondary"
-            onclick="loadMoreNodes()"
             style="
               font-family: &quot;Space Mono&quot;, monospace;
               font-size: 0.9rem;
@@ -141,7 +140,6 @@ <h1 class="page-title">Leaderboard</h1>
           <button
             id="scroll-top-btn"
             class="btn btn-primary"
-            onclick="window.scrollTo({ top: 0, behavior: 'smooth' })"
             style="
               font-family: &quot;Space Mono&quot;, monospace;
               font-size: 0.9rem;
@@ -155,7 +153,7 @@ <h1 class="page-title">Leaderboard</h1>
       </div>
     </main>
 
-    <script>
+    <script nonce="__NONCE__">
       document.addEventListener("DOMContentLoaded", () => {
         document.querySelectorAll(".tab").forEach((tab) => {
           tab.addEventListener("click", () => {
@@ -195,6 +193,18 @@ <h1 class="page-title">Leaderboard</h1>
           }
         });
 
+        // Bind pagination buttons (replaces inline onclick handlers)
+        document
+          .getElementById("load-more-btn")
+          .addEventListener("click", () => {
+            loadMoreNodes();
+          });
+        document
+          .getElementById("scroll-top-btn")
+          .addEventListener("click", () => {
+            window.scrollTo({ top: 0, behavior: "smooth" });
+          });
+
         fetchLeaderboardData();
       });
 
diff --git a/frontend/registration.html b/frontend/registration.html
index 047a3b79..9db125cf 100644
--- a/frontend/registration.html
+++ b/frontend/registration.html
@@ -126,7 +126,7 @@ <h1 class="page-title">Join the Leaderboard</h1>
             <a href="/leaderboard" class="btn btn-secondary"
               >view_leaderboard</a
             >
-            <button class="btn btn-primary" onclick="fullResetForm()">
+            <button class="btn btn-primary" id="register-another-btn">
               register_another
             </button>
           </div>
@@ -175,7 +175,7 @@ <h1 class="page-title">Join the Leaderboard</h1>
             "
           ></div>
           <div style="display: flex; justify-content: center">
-            <button class="btn btn-error" onclick="dismissError()">
+            <button class="btn btn-error" id="dismiss-error-btn">
               retry_input
             </button>
           </div>
@@ -183,7 +183,7 @@ <h1 class="page-title">Join the Leaderboard</h1>
       </div>
     </main>
 
-    <script>
+    <script nonce="__NONCE__">
       function showSuccess(name) {
         document.getElementById("registration-form").classList.add("hidden");
         document.getElementById("success-message").classList.remove("hidden");
@@ -520,6 +520,14 @@ <h1 class="page-title">Join the Leaderboard</h1>
             registerBtn.style.display = "inline-block";
           }
         });
+
+        // Bind buttons (replaces inline onclick handlers)
+        document
+          .getElementById("register-another-btn")
+          .addEventListener("click", fullResetForm);
+        document
+          .getElementById("dismiss-error-btn")
+          .addEventListener("click", dismissError);
       });
     </script>
     <script src="js/footer.js"></script>
diff --git a/package-lock.json b/package-lock.json
index 0dfeba9c..3d201b72 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -11,7 +11,11 @@
       "dependencies": {
         "axios": "^1.10.0",
         "cors": "^2.8.5",
-        "express": "^5.1.0"
+        "express": "^5.1.0",
+        "helmet": "^8.2.0"
+      },
+      "devDependencies": {
+        "prettier": "^3.8.3"
       }
     },
     "node_modules/accepts": {
@@ -559,6 +563,18 @@
         "node": ">= 0.4"
       }
     },
+    "node_modules/helmet": {
+      "version": "8.2.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-8.2.0.tgz",
+      "integrity": "sha512-DRgTIUgnWcJ62KyarxxziuqYxKGnR6Rgg19BlbucN/dpmJbl1XOit6qvoOX0ZT+HhWe5OUVhU/a1zpGyc1xA0Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/EvanHahn"
+      }
+    },
     "node_modules/http-errors": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
@@ -756,6 +772,22 @@
         "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/prettier": {
+      "version": "3.8.3",
+      "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.3.tgz",
+      "integrity": "sha512-7igPTM53cGHMW8xWuVTydi2KO233VFiTNyF5hLJqpilHfmn8C8gPf+PS7dUT64YcXFbiMGZxS9pCSxL/Dxm/Jw==",
+      "dev": true,
+      "license": "MIT",
+      "bin": {
+        "prettier": "bin/prettier.cjs"
+      },
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/prettier/prettier?sponsor=1"
+      }
+    },
     "node_modules/proxy-addr": {
       "version": "2.0.7",
       "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
diff --git a/package.json b/package.json
index f27df097..b1a51189 100644
--- a/package.json
+++ b/package.json
@@ -21,6 +21,10 @@
   "dependencies": {
     "axios": "^1.10.0",
     "cors": "^2.8.5",
-    "express": "^5.1.0"
+    "express": "^5.1.0",
+    "helmet": "^8.2.0"
+  },
+  "devDependencies": {
+    "prettier": "^3.8.3"
   }
 }
diff --git a/server.js b/server.js
index ea2087f2..fce3568c 100644
--- a/server.js
+++ b/server.js
@@ -1,33 +1,113 @@
 const express = require("express");
+const helmet = require("helmet");
 const cors = require("cors");
 const path = require("path");
 const fs = require("fs");
+const crypto = require("crypto");
+
 const app = express();
 const PORT = process.env.PORT || 3000;
 
+// CORS — allow cross-origin requests (used by uptime monitor, etc.)
 app.use(cors());
-app.use(express.static(path.join(__dirname, "frontend")));
+
+// ---------------------------------------------------------------------------
+// 1. Per-request nonce generator (used by CSP and HTML nonce injection)
+// ---------------------------------------------------------------------------
+app.use((req, res, next) => {
+  res.locals.nonce = crypto.randomBytes(16).toString("base64url");
+  next();
+});
+
+// ---------------------------------------------------------------------------
+// 2. Security headers via Helmet
+//    Sets: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options,
+//          Referrer-Policy, Strict-Transport-Security, and more.
+// ---------------------------------------------------------------------------
+app.use(
+  helmet({
+    contentSecurityPolicy: {
+      directives: {
+        defaultSrc: ["'self'"],
+        // Inline scripts need a per-request nonce; external scripts from 'self'
+        // are allowed automatically.
+        scriptSrc: ["'self'", (req, res) => `'nonce-${res.locals.nonce}'`],
+        // Allow inline styles (style attributes) + Google Fonts stylesheet
+        styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
+        // Google Fonts
+        fontSrc: ["'self'", "https://fonts.gstatic.com"],
+        // Images: self + data: URIs (used by matrix canvas)
+        imgSrc: ["'self'", "data:"],
+        // No plugins
+        objectSrc: ["'none'"],
+        // No framing (clickjacking protection)
+        frameAncestors: ["'none'"],
+        // Upgrade HTTP to HTTPS when possible
+        upgradeInsecureRequests: [],
+      },
+    },
+    crossOriginEmbedderPolicy: false, // keep false so Google Fonts load
+  }),
+);
+
+// ---------------------------------------------------------------------------
+// 3. Static assets (JS, CSS, images) — served normally
+//     HTML files are excluded — they go through nonce injection via routes.
+// ---------------------------------------------------------------------------
+const staticMiddleware = express.static(path.join(__dirname, "frontend"), {
+  index: false,
+});
+
+app.use((req, res, next) => {
+  if (req.path.endsWith(".html")) return next();
+  staticMiddleware(req, res, next);
+});
+
+// ---------------------------------------------------------------------------
+// 4. HTML page routes — inject per-request nonce into __NONCE__ placeholders
+// ---------------------------------------------------------------------------
+function serveHtml(res, filePath) {
+  fs.readFile(filePath, "utf8", (err, data) => {
+    if (err) {
+      return res.status(500).send("Error loading page");
+    }
+    const html = data.replace(/__NONCE__/g, res.locals.nonce);
+    res.type("html").send(html);
+  });
+}
 
 app.get("/", (req, res) => {
-  res.sendFile(path.join(__dirname, "frontend", "index.html"));
+  serveHtml(res, path.join(__dirname, "frontend", "index.html"));
 });
 
 app.get("/leaderboard", (req, res) => {
-  res.sendFile(path.join(__dirname, "frontend", "leaderboard.html"));
+  serveHtml(res, path.join(__dirname, "frontend", "leaderboard.html"));
 });
 
 app.get("/about", (req, res) => {
-  res.sendFile(path.join(__dirname, "frontend", "about.html"));
+  serveHtml(res, path.join(__dirname, "frontend", "about.html"));
 });
 
 app.get("/registration", (req, res) => {
-  res.sendFile(path.join(__dirname, "frontend", "registration.html"));
+  serveHtml(res, path.join(__dirname, "frontend", "registration.html"));
+});
+
+// Redirect direct .html file access so nonce injection still applies
+app.get(/\.html$/, (req, res) => {
+  const cleanPath = req.path.replace(/\.html$/, "");
+  res.redirect(301, cleanPath || "/");
 });
 
+// ---------------------------------------------------------------------------
+// 5. Utility endpoints
+// ---------------------------------------------------------------------------
 app.get("/uptime", (req, res) => {
   res.json({ status: "Website is running ✅" });
 });
 
+// ---------------------------------------------------------------------------
+// 6. 404
+// ---------------------------------------------------------------------------
 app.use((req, res) => {
   res.status(404).send("Page not found");
 });

From db84d68a242782d79e630bf88a53ddb8f890cfef Mon Sep 17 00:00:00 2001
From: Jagdish Prajapati <jagadishdrp@gmail.com>
Date: Fri, 5 Jun 2026 20:56:07 +0530
Subject: [PATCH 2/3] Refactor server.js by removing redundant comments

---
 server.js | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/server.js b/server.js
index 5bfee9a9..98274bd5 100644
--- a/server.js
+++ b/server.js
@@ -11,19 +11,15 @@ const PORT = process.env.PORT || 3000;
 
 app.use(cors());
 
-// ---------------------------------------------------------------------------
 // 1. Per-request nonce generator (used by CSP and HTML nonce injection)
-// ---------------------------------------------------------------------------
 app.use((req, res, next) => {
   res.locals.nonce = crypto.randomBytes(16).toString("base64url");
   next();
 });
 
-// ---------------------------------------------------------------------------
 // 2. Security headers via Helmet
 //    Sets: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options,
 //          Referrer-Policy, Strict-Transport-Security, and more.
-// ---------------------------------------------------------------------------
 app.use(
   helmet({
     contentSecurityPolicy: {
@@ -57,10 +53,8 @@ app.use(
   }),
 );
 
-// ---------------------------------------------------------------------------
 // 3. Static assets (JS, CSS, images) — served normally
-//     HTML files are excluded — they go through nonce injection via routes.
-// ---------------------------------------------------------------------------
+//    HTML files are excluded — they go through nonce injection via routes.
 const staticMiddleware = express.static(path.join(__dirname, "frontend"), {
   index: false,
 });
@@ -70,9 +64,7 @@ app.use((req, res, next) => {
   staticMiddleware(req, res, next);
 });
 
-// ---------------------------------------------------------------------------
 // 4. HTML page routes — inject per-request nonce into __NONCE__ placeholders
-// ---------------------------------------------------------------------------
 function serveHtml(res, filePath) {
   fs.readFile(filePath, "utf8", (err, data) => {
     if (err) {
@@ -83,7 +75,7 @@ function serveHtml(res, filePath) {
   });
 }
 
-/* ---------------- HOME ROUTES ---------------- */
+/* HOME ROUTES */
 app.get("/", (req, res) => {
   serveHtml(res, path.join(__dirname, "frontend", "index.html"));
 });
@@ -106,9 +98,7 @@ app.get(/\.html$/, (req, res) => {
   res.redirect(301, cleanPath || "/");
 });
 
-// ---------------------------------------------------------------------------
 // 5. Utility endpoints
-// ---------------------------------------------------------------------------
 app.get("/uptime", (req, res) => {
   res.json({ status: "Website is running ✅" });
 });
@@ -146,3 +136,4 @@ app.use((req, res) => {
 app.listen(PORT, () => {
   console.log(`Server running at http://localhost:${PORT}`);
 });
+

From 2fd3f87bd7b8beb272f50aa694210f89bebe0831 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 5 Jun 2026 15:26:44 +0000
Subject: [PATCH 3/3] style: auto-format code with Prettier (/format)

---
 server.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/server.js b/server.js
index 98274bd5..3fa8ddd2 100644
--- a/server.js
+++ b/server.js
@@ -136,4 +136,3 @@ app.use((req, res) => {
 app.listen(PORT, () => {
   console.log(`Server running at http://localhost:${PORT}`);
 });
-