Security: DanielHaggstrom/asteroid_explorer
Security
This project does not require API keys.
No secrets should be committed. .env* files are ignored by default.
If private integrations are added later, use environment variables and secret managers in CI/CD.
Strict Content Security Policy is defined in index.html.
The app renders data with textContent and avoids unsafe HTML insertion.
The browser talks only to same-origin endpoints served by server.mjs.
The server exposes fixed-purpose routes only: /api/main-belt, /api/catalog, /api/search, and /healthz.
Methods are restricted to GET for API routes and static assets.
Security headers are set by the server (nosniff, referrer policy, permissions policy).
Static-path resolution is normalized to block path traversal.
Search and catalog filters are normalized before being forwarded upstream.
Operational Hardening Checklist
Serve over HTTPS only.
Keep the public deployment on a Node host with outbound access restricted to what the service actually needs.
Monitor NASA/JPL API availability and latency.
Refresh the committed startup sample periodically with npm run sample:update.
Keep dependencies minimal; this project currently has no runtime package dependencies.
There aren’t any published security advisories
You can’t perform that action at this time.