security: harden CSP, headers, SSRF validation, and config#9
Merged
Conversation
- Add object-src 'none' to CSP and Permissions-Policy header - Remove deprecated X-XSS-Protection header (nonce-based CSP is sufficient) - Restrict CORS expose_headers from wildcard to empty list - Add SSRF URL validation to InstanceUpdate schema (matching InstanceCreate) - Bound /api/dashboard/activity limit param to 1-100 via Query() - Add validator constraining JWT algorithm config to HS256 only Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
menottim
added a commit
that referenced
this pull request
Mar 5, 2026
…alse positives Deleted leftover development scripts that logged secrets in plaintext: - test_sqlcipher.py (alerts #1, #2) - verify_phase1.py (alert #3) Dismissed 8 false positive alerts with explanations: - #4-7: py/incomplete-url-substring-sanitization in test assertions (not sanitization code) - #8: py/stack-trace-exposure in health check (str(e) only in logger, response is generic) - #9-10: py/weak-sensitive-data-hashing (SHA256 is pepper mixing before Argon2id, not the hash) - #11: py/stack-trace-exposure in prowlarr (hardcoded error message, not str(e)) - #13: py/stack-trace-exposure in dashboard (Instance model field, not exception) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
6 security fixes for headers, CSP, SSRF, and configuration:
object-src 'none'to CSP (Medium) — Blocks<object>/<embed>plugin-based XSS vectorsPermissions-Policyheader (Medium) — Explicitly denies camera, microphone, geolocation, payment APIsX-XSS-Protectionheader (Low) — Deprecated in all modern browsers, can cause issues. Nonce-based CSP is the correct replacement.expose_headers: ["*"]in CORS (Medium) — Changed to[]. Was exposing all response headers to cross-origin JS unnecessarily.InstanceUpdateschema (High) —InstanceCreatehad URL validation,InstanceUpdatedid not. An attacker could update an instance URL tohttp://169.254.169.254/to achieve SSRF./api/dashboard/activitylimit parameter (Low) — Was unbounded, enabling DoS via massive DB scans. NowQuery(10, ge=1, le=100).algorithmconfig to HS256 only (Medium) — The field was configurable but silently ignored. Now validates and rejects non-HS256 values.Severity: High + Medium + Low
Test plan
object-src 'none'Permissions-Policyheader present in responsesX-XSS-Protectionheader is absentAccess-Control-Expose-Headersis not*/api/dashboard/activity?limit=10000returns 422ALGORITHM=RS256in env causes startup failureRef:
docs/security-assessment-2026-02-27.mdfindings HIGH-1, MED-1, MED-4, MED-7, LOW-2, LOW-6🤖 Generated with Claude Code