Skip to content

security: HTTP hardening (headers, CSV injection, webhook leak)#93

Merged
tcconnally merged 1 commit into
mainfrom
fix/http-hardening
Jul 5, 2026
Merged

security: HTTP hardening (headers, CSV injection, webhook leak)#93
tcconnally merged 1 commit into
mainfrom
fix/http-hardening

Conversation

@tcconnally

Copy link
Copy Markdown
Contributor

HTTP hardening — MED #7/#8 + LOW #12/#13 (2026-07-05 security review)

For the internal launch where the dashboard is network-reachable.

  • Low-balance email alert via Himalaya CLI #7 (MED) Security headers_send now emits on every response:
    X-Frame-Options: DENY + CSP frame-ancestors 'none' (clickjacking),
    X-Content-Type-Options: nosniff, Referrer-Policy: same-origin, and a CSP
    locking default-src/object-src/base-uri/form-action to 'self'.
    Script/style keep 'unsafe-inline' since the dashboard is inline-only (no
    external resources; favicon is a data: URI) — a nonce-based script-src is a
    noted follow-up.
  • Add 4th live-balance provider (OpenAI or OpenRouter) #8 (MED) CSV formula injection — tenant-controlled provider/model/
    workspace/task_type cells starting with = + - @ (or tab/CR) are
    quote-prefixed in export.csv, so =HYPERLINK(...) can't fire when a teammate
    opens it.
  • Configurable routing policies — cost-cap, latency, quality #13 (LOW) Webhook leak/webhook/stripe returns a generic error instead
    of echoing str(e); success path logs event id/type only (not org/amount/balance, LOW F-8).
  • Alert channels — Discord webhook and ntfy support #12 (LOW) simple_pagebodybody_html + docstring making the raw-HTML
    contract explicit (latent foot-gun; no live path).

Tests

258 pass (pytest tests/ -q), incl. a new live security-headers test and
_csv_safe unit tests. No behavior change to existing routes (CSV test data is
formula-safe; no test asserted the old webhook message).

…le_page

- Security headers on every response (X-Frame-Options DENY + CSP frame-ancestors,
  nosniff, Referrer-Policy) — dashboard no longer clickjackable.
- CSV export formula-injection neutralized (tenant-controlled provider/model/
  workspace cells beginning with = + - @ are quote-prefixed).
- Webhook 400 no longer echoes str(e) to caller; success path logs event id/type
  only, not the applied org_id/amount/balance.
- simple_page body -> body_html + docstring (latent XSS foot-gun, no live path).

Addresses MED #7/#8 + LOW #12/#13 (and LOW F-8) from the 2026-07-05 security
review. 258 tests pass (+4: _csv_safe unit tests + a live security-headers test).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@tcconnally tcconnally merged commit 3e65b02 into main Jul 5, 2026
8 checks passed
@tcconnally tcconnally deleted the fix/http-hardening branch July 5, 2026 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant