Security Configuration Reference

Pixflare implements defense-in-depth security with multiple layers of protection:

• Content Security Policy (CSP) - Controls which resources browsers can load
• Security Headers - HTTP headers that enhance browser security
• CORS Configuration - Cross-origin resource sharing controls
• Rate Limiting - Prevents abuse and DoS attacks
• Input Validation - Protects against injection and traversal attacks
• Content Validation - Ensures uploaded files are safe

Security Critical

These settings are security-critical. Modifications should be reviewed carefully and tested thoroughly before deployment.

Configuration Files

Security configuration is centralized in two main files:

• config/src/security.ts - Core security constants (rate limiting, validation, content rules)
• config/src/headers.ts - HTTP headers configuration (CSP, CORS, security headers, cache control)

These constants are imported and used throughout the API and CDN to enforce consistent security policies.

---

Input Validation

PATH_TRAVERSAL_PATTERN

Value: /\.\.|\/\.\.|\.\/|\\|%2e%2e|%252e%252e|%2f|%5c/gi

MAX_PATH_DEPTH

Value: 5

BLOCKED_FILENAME_PATTERNS

[
  /^\./, // Hidden files
  /\.(exe|bat|cmd|sh|ps1|scr|com|pif)$/i, // Executable files
  /\.\./g, // Path traversal
  /__proto__|constructor|prototype/i, // Prototype pollution
]

---

Content Validation

CONTENT_TYPE_DETECTION_SAMPLE_SIZE

Value: 100

MAX_IMAGE_DIMENSION

Value: 50000

MIN_IMAGE_DIMENSION

Value: 1

IMAGE_MAGIC_BYTES

{
  'image/jpeg': [0xff, 0xd8, 0xff],
  'image/png': [0x89, 0x50, 0x4e, 0x47],
  'image/gif': [0x47, 0x49, 0x46],
  'image/webp': [0x52, 0x49, 0x46, 0x46], // RIFF
  'image/avif': [0x00, 0x00, 0x00], // ftyp
}

---

Content Security Policy

CSP_API

Blocks all content loading for API routes (except /docs), becaue API returns JSON only

Value: "default-src 'none'; frame-ancestors 'none'; base-uri 'none'"

CSP_CDN

For the CDN routes, allow images and inline styles only (no scripts)

Value: "default-src 'none'; img-src 'self'; style-src 'unsafe-inline'"

CSP_API_DOCS

This one is just for the API docs route, as we allow Scalar assets from jsdelivr

"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com; img-src 'self' data: https:; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://fonts.scalar.com; connect-src 'self' https://cdn.jsdelivr.net;"

CSP_AUTHJS

CSP_AUTHJS Content Security Policy for Auth.js routes (/auth/*). Allows Auth.js to function properly with: - Inline scripts for CSRF token handling - Images from authjs.dev for provider logos - Inline styles for Auth.js UI - Form actions and fetch requests

"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' https://authjs.dev; font-src 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'none'; base-uri 'self';"

---

Security Headers

X_CONTENT_TYPE_OPTIONS

Prevents browsers from MIME-sniffing (guessing content types), so they're forced to respect the Content-Type header instead

Value: 'nosniff'

X_FRAME_OPTIONS_DENY

Prevents API routes from being embedded in iframes/frames/objects, becase that would open you up to clickjacking attacks.

Value: 'DENY'

X_FRAME_OPTIONS_SAMEORIGIN

Allows certain pages to be embeded if host is the same origin If you need cross-origin embedding, adjust CSP frame-ancestors directive instead

Value: 'SAMEORIGIN'

REFERRER_POLICY

This controls how much referrer information is sent when users navigate away from your site. The API and CDN uses it, and strict means we respect privacy but still send origin for same-origin requests.

Value: 'strict-origin-when-cross-origin'

PERMISSIONS_POLICY

Disable the browser features that we definitely don't need access to

Value: 'geolocation=(), microphone=(), camera=()'

STRICT_TRANSPORT_SECURITY

Prevent non-HTTPS connections to the site (for 1 year) (Don't change this, because it prevents SSL-stripping attacks)

Value: 'max-age=31536000; includeSubDomains; preload'

CROSS_ORIGIN_RESOURCE_POLICY_CROSS_ORIGIN

Allows for images to be served to any origin You could adjust this to just be the domains you want, but generally for an image CDN, then you really want to let user's embed the images on any website

Value: 'cross-origin'

CROSS_ORIGIN_RESOURCE_POLICY_SAME_ORIGIN

Again, prevent the API from being called from any origin other than main site

Value: 'same-origin'

CROSS_ORIGIN_EMBEDDER_POLICY

Requires that the cross-origin resources get explicitly opt-in to being loaded

Value: 'require-corp'

CROSS_ORIGIN_OPENER_POLICY

To isolate current page from any pages which opened it (via js or href)

Value: 'same-origin'

---

CORS Configuration

CORS_ALLOW_ALL_ORIGINS

This determines which origins (websites) can make requests to the CDN images. Best practice is usually to specify a list of hosts. But this public instance, I want to allow literally any site to embed images, so I use "*" to allow all.

Value: '*'

CORS_CDN_METHODS

CORS to only allow fetching methods from frontend websites via API

Value: 'GET, HEAD, OPTIONS'

CORS_API_METHODS

Allowed HTTP methods for CORS requests to API routes. Full CRUD operations. Note that iff you're looking to restrict API methods, do it at the route/permission level instead, and not via CORS (which is just a browser check)

Value: 'GET, POST, PUT, PATCH, DELETE, OPTIONS'

CORS_ALLOWED_HEADERS

Specified which HTTP headers browser are allowd to send in CORS requests Used by CDN and the API. The only reason you'd need to modify this one, is if you're adding your own authentication methods which need custom headers

Value: 'Content-Type, Authorization'

CORS_MAX_AGE

Determines how long (in seconds) browsers should cache CORS preflight responses

Value: '86400'

CORS_HEADERS_CDN

CORS headers for the CDN responses

{
  'Access-Control-Allow-Origin': CORS_ALLOW_ALL_ORIGINS,
  'Access-Control-Allow-Methods': CORS_CDN_METHODS,
  'Access-Control-Allow-Headers': CORS_ALLOWED_HEADERS,
  'Access-Control-Max-Age': CORS_MAX_AGE,
}

CORS_HEADERS_API_PREFLIGHT

CORS headers for API preflight responses

{
  'Access-Control-Allow-Methods': CORS_API_METHODS,
  'Access-Control-Allow-Headers': CORS_ALLOWED_HEADERS,
  'Access-Control-Max-Age': CORS_MAX_AGE,
  'Access-Control-Allow-Credentials': 'true',
}

---

Cache Control

CACHE_CONTROL_IMMUTABLE

Tells browsers and CDN to cache response for x amount of time (1 year here), and to treat it as immutable (becos it won't change).

Value: 'public, max-age=31536000, immutable'

CACHE_CONTROL_PRIVATE

Prevent caching for private or user-specific content

Value: 'private, no-cache, must-revalidate'

CACHE_CONTROL_VARIANT_PENDING

Used if the image variant is still being generated, server responds pending for 1 hour

Value: 'public, max-age=3600'

CACHE_CONTROL_NO_STORE

Prevent all caching, used for private API responses. Don't change.

Value: 'no-store, no-cache, must-revalidate, proxy-revalidate'

CACHE_CONTROL_NOT_FOUND

If an image isn't found, then cache that 404 response for 5 minutes

Value: 'public, max-age=300'

---

Content Disposition

CONTENT_DISPOSITION_INLINE

Tell browser to display images inline (instead of downloading as file)

Value: 'inline'

CONTENT_DISPOSITION_ATTACHMENT

Tells browsers to download as a file, instead of displaying inline (for download endpoints)

Value: 'attachment'

---

Custom Application Headers

X_REQUEST_ID

The name of the header used for request trading IDs, we use this for logging and debugging

Value: 'X-Request-ID'

X_MOCK_AUTH

Name of the custom header for bypassing auth, used for dev and the testing environment

Value: 'X-Mock-Auth'

X_VARIANT_STATUS

Header name for variant generation status

Value: 'X-Variant-Status'

X_IMAGE_ID

Header name for the image ID for CDN responses

Value: 'X-Image-ID'

---

Legacy Headers

PRAGMA_NO_CACHE

Value: 'no-cache'

EXPIRES_IMMEDIATE

Value: '0'

---

Header Sets

SECURITY_HEADERS_API

Headers for the API responses

{
  'X-Content-Type-Options': X_CONTENT_TYPE_OPTIONS,
  'X-Frame-Options': X_FRAME_OPTIONS_DENY,
  'Referrer-Policy': REFERRER_POLICY,
  'Permissions-Policy': PERMISSIONS_POLICY,
  'Cross-Origin-Resource-Policy': CROSS_ORIGIN_RESOURCE_POLICY_SAME_ORIGIN,
}

SECURITY_HEADERS_CDN

Security headers for the CDN responses

{
  'X-Content-Type-Options': X_CONTENT_TYPE_OPTIONS,
  'Referrer-Policy': REFERRER_POLICY,
  'Permissions-Policy': PERMISSIONS_POLICY,
  'Cross-Origin-Resource-Policy': CROSS_ORIGIN_RESOURCE_POLICY_CROSS_ORIGIN,
}

SECURITY_HEADERS

Value: SECURITY_HEADERS_API

NO_CACHE_HEADERS

Headers for responses that should not ever be cached

{
  'Cache-Control': CACHE_CONTROL_NO_STORE,
  Pragma: PRAGMA_NO_CACHE,
  Expires: EXPIRES_IMMEDIATE,
}

HSTS_HEADER

Value: STRICT_TRANSPORT_SECURITY

---

Security Configuration

46 security constants across 10 categories

Auto-generated from config/src/security.ts and config/src/headers.ts. Run pnpm docs:gen to update.

Last updated: 2026-01-21