ledgerdock/REPORT.md

# Security Analysis Report

Date: 2026-03-02
Repository: /Users/bedas/Developer/GitHub/dcm
Scope: backend FastAPI API and worker, frontend React app, Docker runtime configuration, and local `.env` posture.

## Executive Verdict

Current state is **not production ready**.

- Blocking code-level issues exist and should be fixed before production exposure.
- Additional user-dependent deployment risks are present in `.env` and runtime defaults. Per request, these are listed as MUST KNOW and not marked as blocking.

## Method and Coverage

Performed a read-only static review of:

- API auth, authorization, upload and file handling, routing, settings, and worker pipelines.
- Frontend auth token handling and preview rendering behavior.
- Docker and environment defaults affecting network and secret posture.
- Existing security-focused tests and basic frontend API tests.

## Blocking Security Issues (Code-Level)

### 3) Medium - Token persistence risk in browser storage (Remediated)

Impact:

- Previously, a bearer token in browser sessionStorage could be stolen by a successful XSS in the frontend origin.
- The codebase now uses HttpOnly session cookies plus CSRF protection, so tokens are no longer kept in browser storage.

Exploit path:

- Previously: malicious script execution on app origin read `sessionStorage` and exfiltrated `Authorization` token.

Evidence:

- Previous evidence in this scan no longer applies after implementation of cookie-backed auth in:
  - `frontend/src/lib/api.ts`
  - `backend/app/api/auth.py`
  - `backend/app/api/routes_auth.py`
  - `backend/app/main.py`

Remediation:

- Implemented: HttpOnly Secure SameSite session cookies and CSRF protection with frontend CSRF header propagation for state-changing requests.
- If bearer-in-JS remains, enforce strict CSP, remove inline script execution, and add strong dependency hygiene.