saas-frontend-hardeninglisted

# SaaS Frontend Hardening Audit the browser-side security surface of a SaaS application: headers, cookies, CSP, third-party scripts, postMessage flows, and DOM XSS sinks. Defensive find-and-fix focus. ## When this skill applies - Reviewing HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) - Designing or hardening a Content Security Policy - Reviewing cookie configurations - Auditing inline scripts, dynamic eval, and DOM XSS sinks - Reviewing iframe / postMessage flows for cross-origin trust - Checking third-party script inclusions for SRI Use other skills for: backend code XSS sinks in templates (`saas-code-security-review`), CORS on API endpoints (`saas-api-security`). ## Workflow Follow `../_shared/audit-workflow.md`. Frontend-specific notes below. ### Phase 1: Scope confirmation - Which framework (React/Vue/Svelte/Angular/plain)? - Server-rendered, static, or SPA? - Which CDN / edge layer (Vercel, Netlify, Cloudflare, custom)? - Are there embedded customer apps or iframes (white-label, embedded widgets)? ### Phase 2: Inventory ```bash # Pull headers for a known URL curl -sI -H 'Accept: text/html' https://app.yourorg.com/ | grep -iE \ 'content-security-policy|strict-transport-security|x-frame-options|x-content-type-options|referrer-policy|permissions-policy|cross-origin-opener-policy|cross-origin-embedder-policy|cross-origin-resource-policy|set-cookie' # Scan loaded resources from a representative page # (use https://securityheaders.com or https://csp-ev