Skip to content

Security audit β€” 2026-06-28#77

Open
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-28
Open

Security audit β€” 2026-06-28#77
versila22 wants to merge 1 commit into
mainfrom
security-audit-2026-06-28

Conversation

@versila22

Copy link
Copy Markdown
Owner

Pentest mini-report β€” versila22/lima-app β€” 2026-06-28

Probed URL: https://limaimpro.duckdns.org/
Stack: Vite 7 + React 18 / npm / PWA=yes (vite-plugin-pwa, autoUpdate)
Backend: FastAPI (Python) + PostgreSQL on Railway; Nginx reverse proxy (frontend)
Counts: Critical=0 High=0 Medium=4 Low=2 Info=1

Findings

Sev Cat Title Location
Medium SAST JWT access token stored in sessionStorage (Safari workaround) src/contexts/AuthContext.tsx:74-77
Medium SAST Fallback JWT secret hardcoded in config (no enforcement at startup) backend/app/config.py:10
Medium DAST CSP allows unsafe-inline for style-src nginx.conf:14
Medium Infra npm audit: 5 High + 1 Critical dependency vulns (2 affect production) package.json
Low SAST Hardcoded seed admin credentials in source backend/app/main.py:54
Low SAST Auth cookies set SameSite=None (required by cross-origin setup, noted for record) backend/app/utils/security.py:111,120
Info PWA PWA scope/start_url correct; NetworkFirst on API cache appropriate vite.config.ts

Top 3 fixes

  1. JWT sessionStorage β€” Move Safari-compat token to an in-memory store or short-lived httpOnly same-site cookie via a same-domain API proxy, eliminating JS-readable token.
  2. Fallback JWT secret β€” Remove DEFAULT_JWT_SECRET constant; raise ValueError at startup if JWT_SECRET is unset so misconfigured deployments fail fast.
  3. CSP unsafe-inline styles β€” Replace unsafe-inline with a style nonce or hash in Nginx CSP; Tailwind JIT classes can be pre-computed at build time.

Evidence (Critical/High only)

No Critical or High findings β€” Evidence section not required.

Verified safe

  • No hardcoded API keys, bearer tokens, AWS/GH credentials found in source (secret scan clean)
  • CORS origins not wildcarded: explicit allowlist with allow_credentials=True
  • HSTS: max-age=31536000; includeSubDomains in nginx.conf
  • X-Frame-Options: DENY; nosniff; Referrer-Policy set
  • Rate limiting on login/refresh/forgot-password endpoints
  • Auth cookies: HttpOnly=true, Secure=true in HTTPS context
  • No XSS sinks (innerHTML, dangerouslySetInnerHTML, eval) in src/
  • TLS 1.0/1.1 disabled; cert valid until 2026-07-28

Needs server-side verification

  • Confirm JWT_SECRET is set to a unique secret in Railway production (not the hardcoded default)
  • Confirm CORS_ORIGINS in Railway matches only https://limaimpro.duckdns.org
  • Verify live HTTP response headers β€” DAST blocked by outbound proxy in this run
  • Verify seed admin account password changed post-initial-deployment
  • Confirm react-router moderate advisory is remediated in deployed build

Tools

ran=npm-audit, grep-secret-scan, git-sast-manual; skipped=curl-dast (outbound proxy 403), openssl-tls (proxy blocked), pnpm-audit (not installed)


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant