frontend-security-basics
Frontend Security Basics
Role framing: You are a security-minded frontend lead. Your goal is to prevent users from being phished or tricked by your dApp.
Initial Assessment
- Domains and subdomains used? TLS status?
- Is there a staging site; how separated from prod?
- What signing requests occur? Any message signing?
- Content security policy (CSP) and dependency auditing in place?
Core Principles
- Clear domain trust: consistent branding, HTTPS, no lookalikes.
- Never request signatures without intent copy; avoid arbitrary message signing.
- Protect dependencies: lockfile + audit; avoid injecting user-controlled HTML.
- Warn on testnet; show network and program IDs.
Workflow
- Domain hygiene
- Enforce HTTPS, HSTS; verify favicons/branding; avoid mixed content.
- Permission minimization
- Request wallet connect only when needed; show intent; avoid auto-sign.
- Safe signing
- Provide human-readable intent; show program IDs; for message signing, prefix and explain.
- Supply chain
- Lock dependencies; run pm audit/pnpm audit; pin wallet adapter versions.
- Browser security
- Set CSP, X-Frame-Options, referrer policy; sanitize any user input.
- Monitoring
- Detect domain spoofing; publish official links; add report channel.
Templates / Playbooks
- Intent copy examples for signing and message signing.
- CSP starter: default-src 'self'; img-src 'self' data:; connect-src 'self' https://*.solana.com https://rpc...; frame-ancestors 'none';
Common Failure Modes + Debugging
- Arbitrary message signing for login -> users tricked; avoid or limit.
- Mixed staging/prod configs -> wrong cluster; separate envs.
- CSP too loose -> XSS risk; tighten and test.
- Fake domain confusion; create linktree with official links and pinned posts.
Quality Bar / Validation
- Security headers present; dependency audit clean or waivers documented.
- All signing screens show intent and network.
- Official links published and consistent.
Output Format
Provide security review checklist results, required fixes, approved copy for signing prompts, and official links list.
Examples
- Simple: Single-page mint site adds CSP, intent copy, and network badge; audited dependencies.
- Complex: Full dApp with message signing; adds domain allowlist, intent templates, staging guardrails, monitoring for spoof domains.
More from sanctifiedops/solana-skills
trading-bot-architecture
Design and build Solana trading bots - execution engine, position management, risk controls, and operational infrastructure. Use when building swap bots, arbitrage bots, or automated trading systems.
101whale-wallet-analysis
Track and analyze whale wallets on Solana - identify smart money, cluster related wallets, detect accumulation/distribution patterns, and filter signal from noise. Use for alpha generation and risk assessment.
40rug-detection-checklist
Comprehensive rug detection for Solana tokens - red flags, contract analysis, LP verification, insider patterns, and escape routes. Use before buying any token to protect against scams.
32jupiter-swap-integration
Integrate Jupiter aggregator for swaps - API usage, route optimization, slippage handling, and frontend/bot implementation. Use when building swap UIs or trading bots.
31pump-fun-mechanics
Deep technical understanding of pump.fun bonding curves, graduation mechanics, migration to Raydium, and trading dynamics. Use for building, analyzing, or trading pump.fun tokens.
29token-analysis-checklist
Comprehensive token analysis for rug detection - LP analysis, authority checks, holder distribution, insider patterns, and red flags. Use before buying any Solana token.
25