Reflected cross-site scripting (XSS) In @grackle-ai/server
Description
@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers
Impact
The HTTP server does not set Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options headers on any response. This reduces defense-in-depth against XSS, clickjacking, and MIME-sniffing attacks.
While the current XSS attack surface is small (React-markdown is configured safely, no dangerouslySetInnerHTML, Vite does not generate source maps), the absence of these headers means any future XSS vulnerability would have no secondary defense layer.
Affected code:
packages/server/src/index.ts — all res.writeHead() calls only set Content-Type, with no security headers
Patches
0.70.4
Fix: Add security headers to all HTML/API responses:
res.writeHead(200, { "Content-Type": contentType, "Content-Security-Policy": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:", "X-Frame-Options": "DENY", "X-Content-Type-Options": "nosniff" });
Workarounds
Use a reverse proxy (nginx, Caddy) in front of the Grackle server to inject security headers.
References
CWE-693: Protection Mechanism Failure
OWASP: HTTP Security Response Headers
File: packages/server/src/index.ts
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 npm | 0.70.4 |
Aliases
References