Skip to content

Security audit β€” 2026-06-21#70

Open
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-21
Open

Security audit β€” 2026-06-21#70
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-21

Conversation

@versila22

Copy link
Copy Markdown
Owner

Pentest mini-report β€” versila22/lima-app β€” 2026-06-21

Probed URL: https://limaimpro.duckdns.org/
Stack: React 18 / Vite 7 / TypeScript / FastAPI (Python) / pnpm+npm / PWA=yes (VitePWA + Workbox autoUpdate)
Counts: Critical=0 High=0 Medium=2 Low=2 Info=1

Findings

Sev Cat Title Location
Medium DAST CSP style-src unsafe-inline nginx.conf:12
Medium SAST/PWA JWT access token in sessionStorage (Safari fallback) src/lib/api.ts:44-45
Low SCA react-router open redirect via protocol-relative URL (v6.30.3 < 6.30.4) package.json
Low SCA PostCSS XSS via unescaped </style> in CSS output (v8.5.9 < 8.5.10) package.json
Info SAST dangerouslySetInnerHTML in chart style tag (CSS color config, not user input) src/components/ui/chart.tsx:70

Top 3 fixes

  1. CSP style-src unsafe-inline β€” Replace 'unsafe-inline' with a nonce or hash; Tailwind/Vite builds support hash-based CSP via vite-plugin-csp.
  2. react-router open redirect β€” Upgrade react-router-dom to β‰₯6.30.4 (npm update react-router-dom).
  3. PostCSS XSS β€” Upgrade postcss to β‰₯8.5.10 (npm update postcss); low exploitability (build-time only).

Verified safe

  • No secrets committed to repo
  • CORS uses explicit origin allowlist, no reflection
  • JWT_SECRET validated to non-default in production
  • Rate limiting on auth endpoints (5/minute)
  • Security headers on nginx + backend SecurityHeadersMiddleware
  • TLS 1.0/1.1 disabled; cert valid to 2026-07-21
  • httpOnly auth cookies with path-scoped refresh token
  • All HIGH/CRITICAL npm audit packages are devDependencies (vitest, vite, undici, fast-uri, babel)

Needs server-side verification

  • DAST headers blocked by execution environment β€” verify with curl -sI https://limaimpro.duckdns.org/
  • Confirm Railway backend sends HSTS header in production

πŸ€– Generated by automated daily security audit


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant