Skip to content

Security audit β€” 2026-06-27#76

Open
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-27
Open

Security audit β€” 2026-06-27#76
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-27

Conversation

@versila22

Copy link
Copy Markdown
Owner

Pentest mini-report β€” versila22/lima-app β€” 2026-06-27

Probed URL: https://limaimpro.duckdns.org/
Stack: Vite + React SPA / npm+bun / PWA=yes
Counts: Critical=0 High=0 Medium=2 Low=1 Info=2

Findings

Sev Cat Title Location
Medium SAST CSP style-src unsafe-inline nginx.conf:20
Medium Infra High/Critical dep vulns in build/CI toolchain package.json (vitest CVSS 9.8, undici, serialize-javascript)
Low Infra Python backend deps unscanned backend/requirements.txt
Info Infra DAST blocked β€” remote headers/TLS/file probes not run limaimpro.duckdns.org
Info PWA API cache NetworkFirst 1h TTL on auth routes vite.config.ts

Top 3 fixes

  1. CSP unsafe-inline β€” Replace style-src 'self' 'unsafe-inline' with nonce/hash policy in nginx.conf
  2. Update build deps β€” npm update vitest undici serialize-javascript (clears CVSS 9.8 vitest RCE + undici header-injection in CI/dev)
  3. Scan Python deps β€” Add pip-audit -r backend/requirements.txt to CI pipeline

Verified safe

  • No XSS sinks, no hardcoded secrets, no localStorage token storage
  • Nginx security headers: HSTS 1y+includeSubDomains, X-Frame-Options: DENY, nosniff, strict script-src
  • Backend JWT default blocked at startup in non-dev mode (validate_jwt_secret validator)
  • CORS uses explicit origins + credentials (not wildcard)
  • FastAPI docs disabled in production; rate-limiting active
  • PWA workbox SW: NetworkFirst for API (no stale-auth); no VAPID keys in client

Needs server-side verification

  • Actual response headers on limaimpro.duckdns.org (DAST proxy-blocked)
  • TLS version / cipher strength (testssl.sh or SSL Labs)
  • .env/.git/* file exposure on host
  • Railway backend CORS reflection test
  • pip-audit on backend/requirements.txt

Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant