Source
Static security assessment (#840, finding D-1 — P1)
Problem
Teams and Slack webhook URLs are stored as plaintext strings in settings.json. Webhook URLs are bearer tokens — anyone with read access to the file can post messages to the configured channels.
Location: Lite/App.xaml.cs lines 359, 364 (load), and corresponding save logic.
Contrast
SQL Server credentials already use Windows Credential Manager (DPAPI) correctly. Webhook URLs should follow the same pattern.
Fix
Store webhook URLs in Windows Credential Manager alongside SQL credentials, using a target like PerformanceMonitorLite_TeamsWebhook / PerformanceMonitorLite_SlackWebhook. Keep only the enabled/disabled boolean and proxy address in settings.json.
Source
Static security assessment (#840, finding D-1 — P1)
Problem
Teams and Slack webhook URLs are stored as plaintext strings in
settings.json. Webhook URLs are bearer tokens — anyone with read access to the file can post messages to the configured channels.Location:
Lite/App.xaml.cslines 359, 364 (load), and corresponding save logic.Contrast
SQL Server credentials already use Windows Credential Manager (DPAPI) correctly. Webhook URLs should follow the same pattern.
Fix
Store webhook URLs in Windows Credential Manager alongside SQL credentials, using a target like
PerformanceMonitorLite_TeamsWebhook/PerformanceMonitorLite_SlackWebhook. Keep only the enabled/disabled boolean and proxy address insettings.json.