Skip to content

fix(daemon): harden security against browser CSRF attacks#270

Merged
jackwener merged 1 commit intomainfrom
fix/daemon-security-hardening
Mar 22, 2026
Merged

fix(daemon): harden security against browser CSRF attacks#270
jackwener merged 1 commit intomainfrom
fix/daemon-security-hardening

Conversation

@jackwener
Copy link
Owner

@jackwener jackwener commented Mar 22, 2026

Changes

  • Add Origin header check: reject HTTP/WS from non chrome-extension:// origins
  • Require X-OpenCLI custom header on all HTTP requests
  • Remove Access-Control-Allow-Origin: * from all responses
  • Add WebSocket verifyClient to reject malicious connections at upgrade phase
  • Add 1MB body size limit to prevent OOM
  • Update file header with security model documentation

Files Changed

  • src/daemon.ts — server-side security checks
  • src/browser/daemon-client.ts — add X-OpenCLI: 1 header to CLI fetch calls
  • src/browser/discover.ts — add X-OpenCLI: 1 header to status check

Testing

  • 306 unit tests pass
  • Local smoke test: verified all 6 attack vectors are properly blocked

Closes #268

@jackwener
fix(daemon): harden security against browser CSRF attacks (#268)
428d6b3 
- Add Origin header check: reject HTTP/WS from non chrome-extension:// origins
- Require X-OpenCLI custom header on all HTTP requests
- Remove Access-Control-Allow-Origin: * from all responses
- Add WebSocket verifyClient to reject malicious connections at upgrade
- Add 1MB body size limit to prevent OOM
- Update file header with security model documentation

Closes #268
@jackwener jackwener merged commit 40bd11d into main Mar 22, 2026
12 checks passed
@jackwener jackwener mentioned this pull request Mar 22, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature]: Authenticate local daemon and add per-adapter permissions

1 participant

@jackwener