ledgerdock/REPORT.md

Security Analysis Report

Date: 2026-03-02 Repository: /Users/bedas/Developer/GitHub/dcm Scope: backend FastAPI API and worker, frontend React app, Docker runtime configuration, and local .env posture.

Executive Verdict

Current state is not production ready.

• Blocking code-level issues exist and should be fixed before production exposure.
• Additional user-dependent deployment risks are present in .env and runtime defaults. Per request, these are listed as MUST KNOW and not marked as blocking.

Method and Coverage

Performed a read-only static review of:

• API auth, authorization, upload and file handling, routing, settings, and worker pipelines.
• Frontend auth token handling and preview rendering behavior.
• Docker and environment defaults affecting network and secret posture.
• Existing security-focused tests and basic frontend API tests.

Blocking Security Issues (Code-Level)

3) Medium - Token persistence risk in browser storage (Remediated)

Impact:

• Previously, a bearer token in browser sessionStorage could be stolen by a successful XSS in the frontend origin.
• The codebase now uses HttpOnly session cookies plus CSRF protection, so tokens are no longer kept in browser storage.

Exploit path:

• Previously: malicious script execution on app origin read sessionStorage and exfiltrated Authorization token.

Evidence:

• Previous evidence in this scan no longer applies after implementation of cookie-backed auth in:
  • frontend/src/lib/api.ts
  • backend/app/api/auth.py
  • backend/app/api/routes_auth.py
  • backend/app/main.py

Remediation:

• Implemented: HttpOnly Secure SameSite session cookies and CSRF protection with frontend CSRF header propagation for state-changing requests.
• If bearer-in-JS remains, enforce strict CSP, remove inline script execution, and add strong dependency hygiene.