fix(security): address security vulnerabilities across frontend and backend#87
Merged
stevenferey merged 11 commits intodevelopfrom Mar 9, 2026
Merged
fix(security): address security vulnerabilities across frontend and backend#87stevenferey merged 11 commits intodevelopfrom
stevenferey merged 11 commits intodevelopfrom
Conversation
Add escapeHtml() to sanitize firstName before interpolation in email templates, preventing stored XSS via malicious registration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove VITE_AI_API_KEY from frontend code, env types, and documentation. VITE_ prefixed variables are bundled into the client JS and visible to anyone inspecting the source. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove the default admin user (admin@crafter.app / admin123) from the migration file. Admin users should be created via a dedicated seed script instead of being embedded in migration history. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add authenticate middleware to the upload route on the backend. On the frontend, include credentials and Authorization header in the upload fetch request. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Throw a fatal error at startup if JWT_ACCESS_SECRET or JWT_REFRESH_SECRET are not set, instead of falling back to predictable default values. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tgreSQL Default rejectUnauthorized to true in production. Providers using self-signed certs (e.g. Railway) can opt out explicitly via DB_SSL_REJECT_UNAUTHORIZED=false. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace user email addresses with user IDs in backend auth logs. Remove email from frontend store logs and email service logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Invert the logic so cookies are secure by default. Only disable the secure flag when NODE_ENV is explicitly 'development'. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace Zustand persist middleware with in-memory token store. Access tokens are no longer written to localStorage, reducing the XSS attack surface. Session recovery after page refresh relies on the httpOnly refresh token cookie. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add helmet to set security headers (X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, etc.) on all backend responses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Restore hardcoded admin credentials in the migration file. The default admin password should be changed manually after installation on each environment. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
firstNameduring registrationVITE_AI_API_KEYwas exported in the frontend JS, visible to anyoneauthenticatemiddleware on backend + credentials/token on frontendrejectUnauthorizedtotruein productiondevelopmentmodeBreaking changes
JWT_ACCESS_SECRETandJWT_REFRESH_SECRETenvironment variablesDB_SSL_REJECT_UNAUTHORIZED=falseTest plan
curl -Isur un endpointfirstNamecontenant du HTML est échappé dans les emailsaiApiKeyn'apparaît plus dans le bundle JS (npm run buildpuis grep)🤖 Generated with Claude Code