Skip to content

Security hardening, self-hosted fonts, RNG fix, and dead code cleanup#36

Merged
rogadev merged 4 commits intomainfrom
dev
Mar 30, 2026
Merged

Security hardening, self-hosted fonts, RNG fix, and dead code cleanup#36
rogadev merged 4 commits intomainfrom
dev

Conversation

@rogadev
Copy link
Copy Markdown
Owner

@rogadev rogadev commented Mar 30, 2026

Summary

  • Security headers: Added CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to all Vercel routes
  • Self-hosted fonts: Replaced Google Fonts CDN with self-hosted Geist and JetBrains Mono variable fonts (WOFF2), eliminating external runtime dependency and improving offline reliability
  • RNG bias fix: Replaced division-based random int with rejection sampling to eliminate modulo bias in password generation
  • Bug fix: ruleNoLeadingSpecial was injecting letters from excluded character types — now correctly respects exclude flags
  • Lazy network interception: NetworkMonitor only patches fetch/XHR when the user opens the panel, not on mount
  • Bookmark UX: Replaced dead browser APIs (window.sidebar, window.external) and alert() with an inline keyboard shortcut hint
  • Dead code removal: Deleted unused Password.vue, insecure get.js (used Math.random), orphaned style.css, and no-op tailwind.config.js
  • Test coverage: Added 26 unit tests for generatePassword() covering all options, rules, error cases, and edge cases (40 total tests pass)
  • Misc: Added robots.txt, removed Google Fonts runtime caching from service worker config

Test plan

  • pnpm test — 40/40 unit tests pass
  • pnpm build — production build succeeds
  • pnpm test:browser — verify browser-level tests still pass
  • pnpm test:e2e — verify E2E flows (generate, copy, URL params, bookmark hint)
  • Verify fonts load correctly on deployed preview (no FOUT, no 404s)
  • Verify security headers via browser DevTools or curl -I

rogadev added 4 commits March 30, 2026 12:33
@rogadev
chore: add Claude Code config, fix pnpm security overrides, reorganiz…
d7698cb 
…e docs

- Add CLAUDE.md and .claude/ configuration
- Move CI_CD.md to .github/ directory
- Add pnpm overrides to resolve dependency security vulnerabilities
- Add esbuild to onlyBuiltDependencies
@rogadev
chore: untrack .claude/settings.local.json
3a7dfe4
@rogadev
Update .gitignore
e4c6f17
@rogadev
feat: harden security, self-host fonts, fix RNG bias, and clean up de…
fd33cb9 
…ad code

- Add comprehensive HTTP security headers in vercel.json (CSP, HSTS, X-Frame-Options, etc.)
- Self-host Geist and JetBrains Mono fonts, eliminating Google Fonts CDN dependency
- Fix modulo bias in password RNG by switching to rejection sampling
- Fix ruleNoLeadingSpecial bug that injected excluded character types
- Lazy-init network interception (only patch fetch/XHR when monitor panel opens)
- Replace dead bookmark APIs with inline keyboard shortcut hint
- Prevent double password generation on mount
- Remove dead code: Password.vue, get.js (insecure Math.random), style.css, tailwind.config.js
- Add 26 unit tests for password generator covering all options, rules, and edge cases
- Add robots.txt
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 30, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
password-generator Ready Ready Preview, Comment Mar 30, 2026 7:56pm

@rogadev rogadev merged commit c681dfc into main Mar 30, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rogadev