Skip to content

Security audit — 2026-06-08#44

Open
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-08
Open

Security audit — 2026-06-08#44
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-08

Conversation

@versila22

Copy link
Copy Markdown
Owner

Summary

  • C=0 H=0 M=1 L=2 Info=2
  • Medium: react-router-dom open redirect via protocol-relative URL (prod dep, needs update)
  • Low: JWT access token in sessionStorage as Safari ITP fallback (src/lib/api.ts:44-48)
  • Low: Hardcoded seed credentials in source (backend/app/main.py:27-36)

Top fixes

  1. react-router open redirectnpm update react-router-dom to >=6.30.2
  2. sessionStorage JWT — migrate to memory variable or rely solely on httpOnly cookie
  3. Seed credentials — move seed passwords to env vars, read with os.environ

Verified safe

  • No XSS sinks, no secrets in JS/TS source
  • CORS uses explicit allowlist (no wildcard)
  • Auth cookies: httpOnly, secure, samesite correct
  • JWT_SECRET validated at startup
  • Security headers middleware: HSTS, nosniff, X-Frame-Options: DENY, CSP, Permissions-Policy
  • TLS 1.0/1.1 disabled
  • All high/critical npm audit vulns are devDependencies (not shipped to prod)

Test plan

  • Run npm update react-router-dom and verify no routing regressions
  • Confirm JWT_SECRET env var is set in production Railway deployment
  • Verify seed data only runs on fresh migration (not on every startup)

Tools

ran=npm-audit, grep-secrets, openssl-tls, grep-sast; skipped=curl-dast (egress gateway blocks outbound)


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant