Impact
The HTTP server does not set Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options headers on any response. This reduces defense-in-depth against XSS, clickjacking, and MIME-sniffing attacks.
While the current XSS attack surface is small (React-markdown is configured safely, no dangerouslySetInnerHTML, Vite does not generate source maps), the absence of these headers means any future XSS vulnerability would have no secondary defense layer.
Affected code:
packages/server/src/index.ts — all res.writeHead() calls only set Content-Type, with no security headers
Patches
Not yet patched.
Fix: Add security headers to all HTML/API responses:
res.writeHead(200, {
"Content-Type": contentType,
"Content-Security-Policy": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:",
"X-Frame-Options": "DENY",
"X-Content-Type-Options": "nosniff"
});Workarounds
Use a reverse proxy (nginx, Caddy) in front of the Grackle server to inject security headers.
References
- CWE-693: Protection Mechanism Failure
- OWASP: HTTP Security Response Headers
- File:
packages/server/src/index.ts
Impact
The HTTP server does not set
Content-Security-Policy,X-Frame-Options, orX-Content-Type-Optionsheaders on any response. This reduces defense-in-depth against XSS, clickjacking, and MIME-sniffing attacks.While the current XSS attack surface is small (React-markdown is configured safely, no
dangerouslySetInnerHTML, Vite does not generate source maps), the absence of these headers means any future XSS vulnerability would have no secondary defense layer.Affected code:
packages/server/src/index.ts— allres.writeHead()calls only setContent-Type, with no security headersPatches
Not yet patched.
Fix: Add security headers to all HTML/API responses:
Workarounds
Use a reverse proxy (nginx, Caddy) in front of the Grackle server to inject security headers.
References
packages/server/src/index.ts