This document outlines the security architecture, threat models, and protective measures implemented in the Nuxt Ads application. For implementation details, see the actual source code files and their comprehensive test suites.
Threat Model:
- Parameter injection attacks
- Denial of Service (DOS) via oversized values
- Unexpected behavior from unvalidated inputs
Implementation: infrastructure/security/validators.ts - validateQueryParameters()
Strategy: Whitelist-based validation with length limits and type checking.
Whitelist:
at- Location/page identifierpk- Publisher keyrandom- Randomization flagcategory- Ad category filtersb- Shuffle button flag
Validation Rules:
| Check | Implementation | Reason |
|---|---|---|
| Whitelist | Only allowed params pass | Prevents injection attacks |
| Type | Must be string | Prevents type coercion attacks |
| Length | Max 100 chars | DOS prevention |
| Whitespace | Trimmed | Prevents bypass attempts |
Test Coverage: tests/unit/infrastructure/security.test.ts
- β Allows whitelisted parameters
- β Rejects non-whitelisted parameters
- β Rejects empty or whitespace values
- β Rejects extremely long values (DOS)
- β Handles empty filters object
- β Trims whitespace from values
Threat Model:
- Missing required credentials
- Invalid configuration causing unexpected behavior
- Exposure to misconfigured endpoints
Implementation: infrastructure/security/validators.ts - validateRuntimeConfig()
Strategy: Strict validation of required configuration at startup.
Validation Rules:
| Check | Requirement | Reason |
|---|---|---|
| adsServer present | Required | No fallback API endpoint allowed |
| adClient present | Required | No anonymous ad serving |
| URL format | Valid URL | Prevents malformed endpoints |
| Non-empty values | Required | Prevents misconfiguration |
Test Coverage: tests/unit/infrastructure/security.test.ts
- β Accepts valid configuration
- β Rejects missing adsServer
- β Rejects missing adClient
- β Rejects invalid URL format
- β Rejects empty adClient
Module: infrastructure/security/messaging.ts
Threat Model:
- Message injection from malicious origins
- Cross-site scripting (XSS) via iframe messages
- Data leakage to unauthorized frames
Implementation:
The safe messaging API provides origin-validated postMessage communication with three key protections:
- Origin Validation - Explicit whitelist, no wildcard
* - Structure Validation - Messages must have required
typefield - Fail-Closed - Invalid messages rejected immediately
For implementation details and sender/receiver patterns, see messaging.ts.
Key Security Features:
| Feature | Implementation | Benefit |
|---|---|---|
| Origin checking | Explicit list, no * |
Prevents message injection |
| Parent origin detection | Auto-detects from referrer in iframe | Safe cross-origin messaging |
| Fail-closed | Reject on any validation error | Secure by default |
| Type enforcement | Required type field |
Clear message intent |
| No broadcast | Target parent window only | Limits exposure |
| Error handling | Try-catch with logging | Prevents crashes |
Test Coverage: β Covered by unit tests
- β Accepts message from same origin
- β Rejects message from different origin
- β Rejects message with invalid structure
- β Rejects message without type
- β Accepts custom allowed origins
- β Sends message to parent window
- β Handles postMessage errors gracefully
Do: Load from runtime config at build time
Why: Environment variables set at build time ensure secrets never leak to version control. See NuxtConfigProvider.ts for the implementation.
Do: Use URL constructor for safe URL building with automatic parameter encoding
Why: URL constructor prevents injection attacks by automatically encoding parameters. See AdRepository.ts for safe URL construction example.
Do: Use safe messaging API with origin validation via sendSafeMessage()
Why: Wildcard origins allow any origin to intercept messages. Explicit origin checking is required. See messaging.ts for implementation and messaging.test.ts for usage examples.
Do: Log errors for debugging but never expose system details to end users
Why: Error details help attackers understand your system. See useAdController.ts for safe error handling patterns and RandomAd.test.ts for error handling tests.
Do: Validate all external data before processing via validateQueryParameters()
Why: All external data (user input, API responses) can be malicious. See security.test.ts for validation test examples and validators.ts for implementation.
| Threat | Layer | Mitigation | Status |
|---|---|---|---|
| Parameter Injection | Input Validation | Whitelist-based filtering | β Implemented |
| DOS via Large Input | Input Validation | 100-char length limit | β Implemented |
| Missing Config | Config Validation | Required field checks | β Implemented |
| Invalid URLs | Config Validation | URL format validation | β Implemented |
| Message Injection | Safe Messaging | Origin-based validation | β Implemented |
| Wildcard postMessage | Safe Messaging | Explicit origin required | β Implemented |
| Malformed Messages | Safe Messaging | Structure validation | β Implemented |
| Missing Secrets | Environment | Build-time config injection | β Implemented |
| API Key Exposure | Development | Keys in GitHub Secrets, not .env | β Implemented |
| Unhandled Errors | Error Handling | Try-catch with logging | β Implemented |
Security tests are automatically included in the main test suite:
pnpm test- Run all tests including security testspnpm test tests/unit/infrastructure/security.test.ts- Input & config validationpnpm test tests/unit/infrastructure/messaging.test.ts- Safe messaging
Security-specific test files:
- tests/unit/infrastructure/security.test.ts - Input & config validation
- tests/unit/infrastructure/messaging.test.ts - Safe messaging
All security tests must pass before deployment.
Query Parameters:
- Valid params pass validation
- Invalid params are rejected
- Long values (>100 chars) are rejected
- Whitespace is trimmed
Configuration:
- Missing
adsServeris caught - Missing
adClientis caught - Invalid URL is rejected
- Empty values are rejected
Message API:
- Same-origin messages are accepted
- Different-origin messages are rejected
- Messages without
typefield are rejected - Malformed messages are rejected
Before committing code, verify:
- No secrets in code - Check for API keys, tokens, credentials
- Input validated - Query params, config, API responses checked
- Errors handled - Try-catch blocks with appropriate logging
- Messages safe - Using
sendSafeMessageinstead ofpostMessage('*') - URLs validated - Using
new URL()constructor - Tests passing - All security tests pass
- No console logs - Sensitive data not logged
Required secrets for deployment:
NUXT_PUBLIC_ADS_SERVER β Backend API URL
NUXT_PUBLIC_AD_CLIENT β Google AdSense Publisher ID
SSH_HOST β Server hostname
SSH_USERNAME β SSH username
SSH_KEY β SSH private key
SSH_PORT β SSH port (usually 22)
SSH_DEPLOY_PATH β Deployment directory path
- All GitHub Secrets configured
- No
.envfile committed to repo - Build-time environment variables set
- HTTPS enforced on all connections
- CORS headers properly configured
- postMessage origins validated
- Security tests passing on CI/CD
- ARCHITECTURE.md - Overall architecture
- API_DOCUMENTATION.md - Public API reference
- CONTRIBUTING.md - Contribution guidelines
If you discover a security vulnerability, do not open a public issue. Instead, email the maintainers with details.
What to include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
Last Updated: February 5, 2026 Status: Phase 5 & 6 Complete