fix: CSP headers and deps alerts#213
Merged
Merged
Conversation
Signed-off-by: Rafael Silva (rafaelsi) <rafaelsi@cisco.com>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF ScorecardScorecard details
Scanned Files
|
jadiaconu
approved these changes
Jun 11, 2026
mkedjour
reviewed
Jun 11, 2026
Signed-off-by: Rafael Silva (rafaelsi) <rafaelsi@cisco.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Addresses multiple findings from the Solis ZAP security scan (rule 70010 — CSP CSDL Violation, rule 10015 — Cache-Control, rule 10027 — Information Disclosure via comments) and two Dependabot alerts in the frontend.
CSP fixes (ZAP 70010):
script-srcincsp-header.confandcsp-header.env.conf. Static nonces are cryptographically meaningless and are correctly flagged as CSDL violations — they provide no security benefit overunsafe-inline.<script>inmaze.tsx. Replaced with an externalpublic/maze-loader.jsfile served fromself, eliminating the need for any nonce orunsafe-inlineinscript-src.window.apiUrl,window.authType, etc.) was previously a nonce-tagged inline<script>block injected viasedat Docker build time. Replaced with a dedicatedconfig.js.ssitemplate served by nginx at/config.jswith SSI processing (ssi_types application/javascript), injected intoindex.htmlas<script src="/config.js">.font-src 'self' https://fonts.gstatic.com data:directive (fixes "Solis Content Security Policy Scanner 4" findings for.woff2assets).data:toimg-srcandframe-srcto both CSP files for consistency.Cache-Control fixes (ZAP 10015):
locationblocks for static image/font assets (ico,png,svg,woff2, etc.) withpublic, max-age=86400, must-revalidateinstead of falling through to the HTML catch-all.robots.txtandsitemap.xmlwithno-store./config.jsserved withno-storesince it contains runtime environment values.Suspicious comments fixes (ZAP 10027):
sw.ts,routes.tsx,utils/auth.ts, andauth-provider-oidc-helper.tsxthat survived into compiled JS bundles and triggered keyword matches (API Key,token,NOTE, etc.).Dependabot alerts:
vitestand@vitest/coverage-v8/@vitest/uifrom3.2.4to3.2.6(GHSA-5xrq-8626-4rwp — critical: arbitrary file read/exec via Vitest UI server).qsfrom6.15.1to6.15.2(GHSA-q8mj-m7cp-5q26 — moderate: DoS viaqs.stringify). Added both toresolutionsto cover transitive dependencies.Docker base image hardening:
apk upgrade --no-cache opensslto all Alpine stages inDockerfile(frontend) andDockerfile.bff(backend) to patch CVE-2026-34182 (critical) and 8 high-severity OpenSSL vulnerabilities fixed inopenssl@3.5.7-r0.Type of Change
Checklist