security: HTTP hardening (headers, CSV injection, webhook leak)#93
Merged
Conversation
…le_page - Security headers on every response (X-Frame-Options DENY + CSP frame-ancestors, nosniff, Referrer-Policy) — dashboard no longer clickjackable. - CSV export formula-injection neutralized (tenant-controlled provider/model/ workspace cells beginning with = + - @ are quote-prefixed). - Webhook 400 no longer echoes str(e) to caller; success path logs event id/type only, not the applied org_id/amount/balance. - simple_page body -> body_html + docstring (latent XSS foot-gun, no live path). Addresses MED #7/#8 + LOW #12/#13 (and LOW F-8) from the 2026-07-05 security review. 258 tests pass (+4: _csv_safe unit tests + a live security-headers test). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
HTTP hardening — MED #7/#8 + LOW #12/#13 (2026-07-05 security review)
For the internal launch where the dashboard is network-reachable.
_sendnow emits on every response:X-Frame-Options: DENY+ CSPframe-ancestors 'none'(clickjacking),X-Content-Type-Options: nosniff,Referrer-Policy: same-origin, and a CSPlocking
default-src/object-src/base-uri/form-actionto'self'.Script/style keep
'unsafe-inline'since the dashboard is inline-only (noexternal resources; favicon is a data: URI) — a nonce-based
script-srcis anoted follow-up.
provider/model/workspace/task_typecells starting with= + - @(or tab/CR) arequote-prefixed in
export.csv, so=HYPERLINK(...)can't fire when a teammateopens it.
/webhook/stripereturns a generic error insteadof echoing
str(e); success path logs event id/type only (not org/amount/balance, LOW F-8).body→body_html+ docstring making the raw-HTMLcontract explicit (latent foot-gun; no live path).
Tests
258 pass (
pytest tests/ -q), incl. a new live security-headers test and_csv_safeunit tests. No behavior change to existing routes (CSV test data isformula-safe; no test asserted the old webhook message).