This application implements a multi-layered security system designed to protect against various threats and vulnerabilities. The security system is modular, configurable, and includes both client-side and server-side security measures.
Purpose: Creates cryptographically strong passwords that meet all security requirements.
How it works:
- Uses
crypto.getRandomValues()for true randomness - Supports customizable length (8-64 characters)
- Multiple character set options (uppercase, lowercase, numbers, symbols)
- Excludes similar characters (0, O, 1, l) to prevent confusion
- Ensures password meets all selected requirements
- Provides real-time strength analysis
- One-click copy to clipboard functionality
Security Benefits:
- Eliminates weak user-generated passwords
- Prevents password reuse across sites
- Meets enterprise security standards
- Reduces human error in password creation
Usage:
// Basic usage
const password = securityManager.generateSecurePassword(16);
// Advanced usage with options
const password = securityManager.generateSecurePassword(20, {
includeUppercase: true,
includeLowercase: true,
includeNumbers: true,
includeSymbols: false,
excludeSimilar: true
});Purpose: Immediately terminates all active sessions and clears sensitive data.
What it clears:
- Authentication Data: User email, session tokens, password hashes
- Session Storage: All temporary session data
- Local Storage: User preferences, cached data, form data
- Rate Limiting Data: Login attempts, request counters
- Browser Cookies: Authentication cookies, tracking cookies
- Browser Cache: Cached pages, resources, API responses
- Security State: CSRF tokens, rate limit counters
Types of Logout:
-
Standard Force Logout (
performSecureLogout()):- User-initiated with confirmation
- Comprehensive data cleanup
- Detailed progress display
- Audit trail logging
-
Emergency Logout (
emergencyLogout()):- Automatic threat response
- No user confirmation required
- Immediate execution
- Preserves security logs for investigation
Security Benefits:
- Prevents session hijacking
- Clears sensitive data exposure
- Maintains audit trail
- Enables threat response
- Ensures complete state reset
Usage:
// Standard logout
securityManager.performSecureLogout('user_initiated', {
clearCookies: true,
clearCaches: true,
keepSecurityLogs: false
});
// Emergency logout
securityManager.emergencyLogout('suspicious_activity');The main security orchestrator that coordinates all security features.
Features:
- CSRF Protection
- Session Management
- Input Sanitization
- Rate Limiting
- Login Attempt Monitoring
- Security Event Logging
- Content Security Policy
- Security Headers
Centralized configuration for all security settings.
Configurable Areas:
- Session timeouts and limits
- Login security policies
- Rate limiting thresholds
- CSP directives
- Input validation rules
- Monitoring settings
- Feature flags
Advanced security utilities and threat detection.
Features:
- Device Fingerprinting
- Behavioral Analysis
- Threat Detection (SQL Injection, XSS, Command Injection)
- Encryption/Decryption utilities
- Network security checks
- Bot detection
- Minimum 8 characters
- Must contain uppercase, lowercase, numbers, and special characters
- No common patterns (123, abc, password, qwerty)
- No repeating characters
- Maximum 5 failed login attempts
- 15-minute lockout duration
- Automatic unlock after timeout
- Security event logging
- 30-minute session timeout
- Activity-based session renewal
- Secure session storage
- Multi-tab session handling
- Automatic logout on suspicious activity
- Unique tokens for each session
- Token validation on form submissions
- Automatic token refresh
- SQL Injection detection and blocking
- XSS attack prevention
- Command injection protection
- Malicious pattern recognition
- Automatic input sanitization
- Strict script execution policies
- Whitelisted domains for resources
- Prevention of inline script execution
- Frame-ancestors protection
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
- Referrer-Policy: strict-origin-when-cross-origin
- Mouse movement patterns
- Keystroke timing analysis
- Scroll behavior monitoring
- Click pattern analysis
- Bot detection algorithms
- Browser characteristics
- Screen resolution and color depth
- Available fonts detection
- WebGL fingerprinting
- Hardware information
- Network connection details
- Suspicious activity monitoring
- Rapid form submission detection
- Developer tools usage detection
- Extension monitoring
- Screen recording detection
- 60 requests per minute (configurable)
- 5 login attempts per minute
- 10 form submissions per minute
- IP-based and user-based limiting
- Local storage encryption
- Session data encryption
- Secure token generation
- RSA key pair generation for sensitive data
- Encrypted local storage wrapper
- Secure session management
- Automatic data cleanup on logout
The system logs various security events for monitoring and analysis:
USER_LOGIN/USER_LOGOUTLOGIN_FAILED/ACCOUNT_LOCKEDSESSION_EXPIRED/SESSION_INVALIDMALICIOUS_INPUT_DETECTEDRAPID_FORM_SUBMISSIONDEVTOOLS_OPENEDSUSPICIOUS_EXTENSIONBOT_DETECTEDSECURITY_THREAT_DETECTEDCLIPBOARD_COPY/CLIPBOARD_PASTESCREEN_SHARE_ATTEMPT
{
type: "EVENT_TYPE",
timestamp: 1640995200000,
userAgent: "Mozilla/5.0...",
url: "https://example.com/page",
email: "user@example.com",
// Additional event-specific data
}const SECURITY_CONFIG = {
SESSION: {
TIMEOUT: 30 * 60 * 1000, // 30 minutes
MAX_CONCURRENT_SESSIONS: 3
},
LOGIN: {
MAX_ATTEMPTS: 5,
LOCKOUT_DURATION: 15 * 60 * 1000 // 15 minutes
},
RATE_LIMIT: {
REQUESTS_PER_MINUTE: 60
}
};FEATURES: {
ADVANCED_THREAT_DETECTION: true,
BEHAVIORAL_ANALYSIS: true,
DEVICE_FINGERPRINTING: true,
CLIPBOARD_MONITORING: true,
SCREEN_RECORDING_DETECTION: true
}Access /test-security.html to test all security features:
-
Core Security Tests
- Security manager initialization
- Email/password validation
- Input sanitization
- CSRF token generation
-
Input Validation Tests
- Try malicious inputs to test blocking
- SQL injection attempts
- XSS attack vectors
-
Rate Limiting Tests
- Rapid clicking to trigger limits
- Form submission flooding
-
Behavioral Analysis
- Mouse movement tracking
- Keystroke pattern analysis
-
Device Fingerprinting
- Unique device identification
- Browser characteristic analysis
<script src="./js/security-config.js"></script>
<script src="./js/security-utils.js"></script>
<script src="./js/security.js"></script>// Security manager auto-initializes
// Access via window.securityManager// Automatic validation on all forms
// Manual validation:
const isValid = window.securityManager.secureFormSubmit(form);if (!window.securityManager.validateUserSession()) {
// Redirect to login
}// Events are automatically logged
// Access logs:
const logs = JSON.parse(localStorage.getItem('securityLog') || '[]');Access the security dashboard at /src/security-dashboard.html to:
- View real-time security status
- Monitor failed login attempts
- Check session information
- Review security event logs
- Generate secure passwords
- Manage security settings
- Client-side security is not foolproof
- Always validate on server-side as well
- Use HTTPS in production
- Implement proper server-side CSP headers
- Device fingerprinting may raise privacy concerns
- Behavioral tracking should comply with privacy laws
- Consider user consent for monitoring features
- Behavioral analysis may impact performance
- Adjust monitoring frequency based on needs
- Consider disabling features on low-end devices
// Extend SecurityManager
window.securityManager.addCustomRule = function(input) {
// Your custom validation logic
return { isValid: true, threats: [] };
};// Listen for security events
document.addEventListener('securityEvent', (e) => {
console.log('Security event:', e.detail);
});// Override specific settings
window.SECURITY_CONFIG.LOGIN.MAX_ATTEMPTS = 3;The system tracks various security metrics:
- Failed login attempts per user/IP
- Session duration and activity
- Input validation blocks
- Rate limiting triggers
- Behavioral analysis scores
- Device fingerprint changes
- Security event frequency
- Review security logs weekly
- Update threat detection patterns
- Adjust rate limiting based on usage
- Monitor false positive rates
- Update security configurations
- Test security features regularly
- Keep security scripts updated
- Review and update CSP policies
- Monitor for new threat vectors
- Update encryption methods as needed
For security-related issues or questions:
- Check the security logs first
- Test with
/test-security.html - Review configuration settings
- Check browser console for errors
- Verify all security scripts are loaded
- Defense in Depth: Multiple security layers
- Principle of Least Privilege: Minimal permissions
- Regular Updates: Keep security measures current
- Monitoring: Continuous security monitoring
- User Education: Train users on security practices
- Incident Response: Have a plan for security incidents
Note: This security system provides comprehensive client-side protection but should be complemented with robust server-side security measures for complete protection.