This document outlines the security measures implemented in QRe8 and provides instructions for configuring additional server-side protection.

1. Client-Side Security
2. Cloudflare Pages Security Headers
3. Cloudflare WAF Rate Limiting
4. Cloudflare Turnstile Configuration
5. Security Best Practices

QRe8 implements multiple layers of client-side security:

• Maximum lengths on all text inputs to prevent DoS
• Phone number validation with regex pattern
• Geo coordinates validation with range checking (-90 to 90 for lat, -180 to 180 for lon)
• Email validation using Zod's built-in email validator
• URL validation for website fields

• HTML sanitization removes <script> tags and HTML elements
• Control character removal from all inputs
• Proper escaping for WiFi, vCard, and iCalendar formats

Located in src/lib/rate-limit.ts:

• QR Generation: 60 per hour
• Downloads: 30 per hour
• Burst Protection: 10 per minute

⚠️ Note: Client-side rate limiting can be bypassed. Always implement server-side rate limiting.

Security headers are configured in public/_headers:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' challenges.cloudflare.com; ...
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

These headers are automatically applied by Cloudflare Pages.

Since QRe8 is a static site, server-side rate limiting must be configured in Cloudflare's dashboard.

1. Log into Cloudflare Dashboard
2. Select your domain (e.g., qre8.changa.tech)
3. Navigate to Security → WAF → Rate limiting rules

Name: QRe8 - General Rate Limit
If incoming requests match:
  - URI Path contains "/"
  
Rate limiting:
  - Requests: 100 requests per 1 minute
  - Per: IP address
  
Action: Block for 1 minute

Name: QRe8 - Asset Download Protection
If incoming requests match:
  - URI Path contains "/_next/"
  
Rate limiting:
  - Requests: 200 requests per 1 minute
  - Per: IP address
  
Action: Block for 5 minutes

1. Go to Security → Bots
2. Enable Bot Fight Mode (free tier) or configure Super Bot Fight Mode (Pro+)

Create additional firewall rules for suspicious patterns:

Name: Block Suspicious User Agents
If:
  - User Agent contains "curl" OR
  - User Agent contains "wget" OR
  - User Agent contains "python-requests" OR
  - User Agent is empty
  
Action: Challenge (CAPTCHA)

QRe8 uses Cloudflare Turnstile for bot protection.

Development (.env.local):

# Test keys - always pass
NEXT_PUBLIC_TURNSTILE_SITE_KEY=1x00000000000000000000AA
TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA

Production (set in Cloudflare Pages):

NEXT_PUBLIC_TURNSTILE_SITE_KEY=your-actual-site-key
TURNSTILE_SECRET_KEY=your-actual-secret-key

1. Go to Cloudflare Turnstile
2. Click Add Site
3. Enter your domain: qre8.changa.tech
4. Select Managed widget type
5. Copy the Site Key and Secret Key
6. Add to Cloudflare Pages environment variables:
   • Go to Workers & Pages → QRe8 → Settings → Environment variables
   • Add NEXT_PUBLIC_TURNSTILE_SITE_KEY
   • Add TURNSTILE_SECRET_KEY (for future server-side validation)

1. Never commit secrets - Use environment variables
2. Update dependencies regularly - Run npm audit frequently
3. Test input validation - Try XSS payloads in all forms
4. Monitor rate limits - Check Cloudflare analytics for abuse patterns

1. Enable HTTPS only - Cloudflare handles this automatically
2. Set up alerts - Configure Cloudflare notifications for security events
3. Review access logs - Monitor for suspicious patterns
4. Keep service worker updated - Increment CACHE_VERSION on each deploy

• Security headers configured (_headers)
• Service worker with versioned caching
• Input validation with length limits
• XSS sanitization on all inputs
• Proper escaping for QR formats
• Client-side rate limiting
• Cloudflare WAF rate limiting (manual setup required)
• Cloudflare Bot Fight Mode (manual setup required)
• Turnstile integration
• HTTPS enforced (via Cloudflare)

If you detect abuse:

1. Check Cloudflare Analytics for attack patterns
2. Add IP blocks in Cloudflare Firewall
3. Increase rate limits temporarily if needed
4. Enable "Under Attack" mode for severe DDoS

This document is part of the QRe8 security hardening initiative.