# Security Analysis Report

Date: 2026-03-02
Repository: /Users/bedas/Developer/GitHub/dcm
Scope: backend FastAPI API and worker, frontend React app, Docker runtime configuration, and local `.env` posture.

## Executive Verdict

Current state is **not production ready**.

- Blocking code-level issues exist and should be fixed before production exposure.
- Additional user-dependent deployment risks are present in `.env` and runtime defaults. Per request, these are listed as MUST KNOW and not marked as blocking.

## Method and Coverage

Performed a read-only static review of:

- API auth, authorization, upload and file handling, routing, settings, and worker pipelines.
- Frontend auth token handling and preview rendering behavior.
- Docker and environment defaults affecting network and secret posture.
- Existing security-focused tests and basic frontend API tests.

## Blocking Security Issues (Code-Level)

### 3) Medium - Bearer token stored in browser sessionStorage

Impact:

- Any successful XSS on the frontend origin can steal bearer tokens and replay them.

Exploit path:

- Malicious script execution on app origin reads `sessionStorage` and exfiltrates `Authorization` token.

Evidence:

- Token persisted in sessionStorage and injected into `Authorization` header: `frontend/src/lib/api.ts:39-42`, `frontend/src/lib/api.ts:61-67`, `frontend/src/lib/api.ts:84-95`, `frontend/src/lib/api.ts:103-112`.

Remediation:

- Prefer HttpOnly Secure SameSite cookies for session auth, plus CSRF protection.
- If bearer-in-JS remains, enforce strict CSP, remove inline script execution, and add strong dependency hygiene.