Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 4.3 PyPI

ciguard: Web UI is missing HTTP defence-in-depth headers

GHSA-7ww3-xvf5-cxwm

Published · Modified

Description

Summary

ciguard's FastAPI Web UI (src/ciguard/web/app.py) does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy (Medium), X-Frame-Options (Medium), Sub-Resource-Integrity on /api/docs (Medium), COOP / COEP / CORP (Low), Permissions-Policy (Low), X-Content-Type-Options (Low).

Threat scenario

For local-only deployment (current intent): minimal — there's no untrusted browser context, no third-party hosting, no auth surface to protect.

For public hosting (PRD Slice 9 GitHub App or hosted dashboard, future): each missing header reduces a defence layer:

  • Missing CSP → injected XSS would have no second-line defence (first-line Jinja autoescape remains intact)
  • Missing X-Frame-Options → clickjacking against any UI button would be possible
  • Missing SRI on jsdelivr-hosted Swagger UI → if jsdelivr were compromised, attacker JS would run in the docs page context

Patch

  • New SecurityHeadersMiddleware at src/ciguard/web/security_headers.py injecting: X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy no-referrer, Permissions-Policy interest-cohort=(), Cross-Origin-Opener-Policy same-origin, Cross-Origin-Resource-Policy same-origin, plus per-path CSP with /api/docs + /api/redoc carve-out for cdn.jsdelivr.net (Swagger UI / ReDoc dependency).
  • COEP intentionally NOT set: would break Swagger UI's cross-origin assets, and ciguard makes no SharedArrayBuffer use that would benefit.
  • Registered via app.add_middleware(SecurityHeadersMiddleware).
  • 6 regression tests in tests/test_web.py::TestSecurityHeaders.

Discovery

Found by OWASP ZAP baseline scan during ciguard's first self-conducted pentest cycle, 2026-04-26.

CVSS Scoring

  • CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N — 4.3 (Medium per v3.1 thresholds)
  • CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N — first.org calc 4.3 (Low); GitHub's calc 2.1 (Low). All consistent at Low/borderline.

Verification

$ curl -sI http://127.0.0.1:8080/ | grep -E '^(X-Frame|X-Content|Referrer|Permissions|Cross-Origin|Content-Security):'
# Pre-fix: empty
# Post-fix: 7 headers present

Resources

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes