ferdi2go/OnlyFrames
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

[Security] CORS, Security-Header, Token-Speicherung #17

New Issue
Closed
opened 2026-05-27 12:21:05 +02:00 by ferdi2go · 1 comment
ferdi2go commented 2026-05-27 12:21:05 +02:00
Owner
Copy Link
Copy Source

Probleme

a) CORSserver.py:91-96: allow_origins=["*"].

b) Fehlende Security-Header: keine CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy.

c) Token in sessionStorageindex.html:808,1092: XSS-zugaenglich. Kombiniert mit #3 -> Diebstahl-Vektor.

Fix-Direction

@app.middleware("http")
async def security_headers(request, call_next):
    resp = await call_next(request)
    resp.headers["X-Content-Type-Options"] = "nosniff"
    resp.headers["X-Frame-Options"] = "DENY"
    resp.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
    return resp

Token in HttpOnly+SameSite-Cookie statt sessionStorage (groesserer Umbau - separat besprechen).

## Probleme **a) CORS** — `server.py:91-96`: `allow_origins=["*"]`. **b) Fehlende Security-Header**: keine CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy. **c) Token in sessionStorage** — `index.html:808,1092`: XSS-zugaenglich. Kombiniert mit #3 -> Diebstahl-Vektor. ## Fix-Direction ```python @app.middleware("http") async def security_headers(request, call_next): resp = await call_next(request) resp.headers["X-Content-Type-Options"] = "nosniff" resp.headers["X-Frame-Options"] = "DENY" resp.headers["Referrer-Policy"] = "strict-origin-when-cross-origin" return resp ``` Token in HttpOnly+SameSite-Cookie statt sessionStorage (groesserer Umbau - separat besprechen).
ferdi2go added the securitypriority: medium labels 2026-05-27 12:21:05 +02:00
ferdi2go commented 2026-05-27 12:59:40 +02:00
Author
Owner
Copy Link
Copy Source

Fix (a) und (b) umgesetzt in server.py:

CORS — statt allow_origins=["*"] jetzt allow_origin_regex fuer localhost, 127.0.0.1 und lxc<id>-<port>.<domain> (VCH Subdomain-Proxy). Fremde Origins werden geblockt.

Security-Header-Middleware: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: geolocation=(), microphone=(), camera=().

CSP wurde bewusst weggelassen, weil die App inline-Scripts/Styles nutzt - das waere ein eigener Refactor.

Teil (c) HttpOnly-Cookie ist als separates Issue #28 ausgegliedert (groesserer Umbau).

Manueller Test: erlaubte Origin gibt korrekten allow-origin-Header zurueck, evil.com gar keinen.

Fix (a) und (b) umgesetzt in `server.py`: **CORS** — statt `allow_origins=["*"]` jetzt `allow_origin_regex` fuer `localhost`, `127.0.0.1` und `lxc<id>-<port>.<domain>` (VCH Subdomain-Proxy). Fremde Origins werden geblockt. **Security-Header-Middleware**: `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, `Referrer-Policy: strict-origin-when-cross-origin`, `Permissions-Policy: geolocation=(), microphone=(), camera=()`. CSP wurde bewusst weggelassen, weil die App inline-Scripts/Styles nutzt - das waere ein eigener Refactor. **Teil (c) HttpOnly-Cookie** ist als separates Issue #28 ausgegliedert (groesserer Umbau). Manueller Test: erlaubte Origin gibt korrekten allow-origin-Header zurueck, `evil.com` gar keinen.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
maintenance
priority: high
priority: low
priority: medium
security
ux
No Label priority: medium security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ferdi2go
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: ferdi2go/OnlyFrames#17
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?