logo

Database

Security controls bypass or absence In ciguard

Description

ciguard: Web UI is missing HTTP defence-in-depth headers

Summary

ciguard's FastAPI Web UI (src/ciguard/web/app.py) does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy (Medium), X-Frame-Options (Medium), Sub-Resource-Integrity on /api/docs (Medium), COOP / COEP / CORP (Low), Permissions-Policy (Low), X-Content-Type-Options (Low).

Threat scenario

For local-only deployment (current intent): minimal — there's no untrusted browser context, no third-party hosting, no auth surface to protect.

For public hosting (PRD Slice 9 GitHub App or hosted dashboard, future): each missing header reduces a defence layer:

    Missing CSP → injected XSS would have no second-line defence (first-line Jinja autoescape remains intact)

    Missing X-Frame-Options → clickjacking against any UI button would be possible

    Missing SRI on jsdelivr-hosted Swagger UI → if jsdelivr were compromised, attacker JS would run in the docs page context

Patch

    New SecurityHeadersMiddleware at src/ciguard/web/security_headers.py injecting: X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy no-referrer, Permissions-Policy interest-cohort=(), Cross-Origin-Opener-Policy same-origin, Cross-Origin-Resource-Policy same-origin, plus per-path CSP with /api/docs + /api/redoc carve-out for cdn.jsdelivr.net (Swagger UI / ReDoc dependency).

    COEP intentionally NOT set: would break Swagger UI's cross-origin assets, and ciguard makes no SharedArrayBuffer use that would benefit.

    Registered via app.add_middleware(SecurityHeadersMiddleware).

    6 regression tests in tests/test_web.py::TestSecurityHeaders.

Discovery

Found by OWASP ZAP baseline scan during ciguard's first self-conducted pentest cycle, 2026-04-26.

CVSS Scoring

    CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N — 4.3 (Medium per v3.1 thresholds)

    CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N — first.org calc 4.3 (Low); GitHub's calc 2.1 (Low). All consistent at Low/borderline.

Verification

$ curl -sI http://127.0.0.1:8080/ | grep -E '^(X-Frame|X-Content|Referrer|Permissions|Cross-Origin|Content-Security):'
# Post-fix: 7 headers present

Resources

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-7ww3-xvf5-cxwm2. GCVE-GHSA-7ww3-xvf5-cxwm

References

1. https://github.com/Jo-Jo98/ciguard/security/advisories/GHSA-7ww3-xvf5-cxwm2. https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.23. https://github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.