ledgerdock/REPORT.md

Security Analysis Report

Date: 2026-03-02 Repository: /Users/bedas/Developer/GitHub/dcm Scope: backend FastAPI API and worker, frontend React app, Docker runtime configuration, and local .env posture.

Executive Verdict

Current state is not production ready.

• Blocking code-level issues exist and should be fixed before production exposure.
• Additional user-dependent deployment risks are present in .env and runtime defaults. Per request, these are listed as MUST KNOW and not marked as blocking.

Method and Coverage

Performed a read-only static review of:

• API auth, authorization, upload and file handling, routing, settings, and worker pipelines.
• Frontend auth token handling and preview rendering behavior.
• Docker and environment defaults affecting network and secret posture.
• Existing security-focused tests and basic frontend API tests.

Blocking Security Issues (Code-Level)

3) Medium - Bearer token stored in browser sessionStorage

Impact:

• Any successful XSS on the frontend origin can steal bearer tokens and replay them.

Exploit path:

• Malicious script execution on app origin reads sessionStorage and exfiltrates Authorization token.

Evidence:

• Token persisted in sessionStorage and injected into Authorization header: frontend/src/lib/api.ts:39-42, frontend/src/lib/api.ts:61-67, frontend/src/lib/api.ts:84-95, frontend/src/lib/api.ts:103-112.

Remediation:

• Prefer HttpOnly Secure SameSite cookies for session auth, plus CSRF protection.
• If bearer-in-JS remains, enforce strict CSP, remove inline script execution, and add strong dependency hygiene.