Skip to content

fix(security): harden audit remediations#213

Merged
ThisIs-Developer merged 1 commit into
mainfrom
codex/security-remediation-hardening
Jul 10, 2026
Merged

fix(security): harden audit remediations#213
ThisIs-Developer merged 1 commit into
mainfrom
codex/security-remediation-hardening

Conversation

@ThisIs-Developer

Copy link
Copy Markdown
Owner

Summary

This PR remediates the security audit findings for Markdown Viewer while preserving the existing web, sharing, renderer, export, and desktop workflows.

Changes include:

  • Add Cloudflare Pages _headers and _redirects for HTTP security headers, CSP, clickjacking protection, and sensitive-path 404s.
  • Tighten CSP by adding base-uri, form-action, object-src, script-src-attr, frame-ancestors, exact Live Share WebSocket origin, and inline script hashes where needed.
  • Remove default Neutralino os.execCommand exposure and gate local desktop diagram commands behind explicit advanced opt-in logic.
  • Enforce Live Share host/editor/viewer capabilities server-side and reject unsupported WebSocket origins.
  • Narrow Share Snapshot API CORS, add creator-side stored snapshot delete tokens, and surface expiry/privacy wording in the UI.
  • Add STL source/geometry validation for file size, finite vertices, and vertex count.
  • Harden exported HTML with CSP and SRI for external export assets.
  • Add private/no-persist storage mode, clear-local-data control, and storage privacy wording.
  • Add SRI metadata for lazy-loaded CDN scripts/styles where browser SRI is applicable.
  • Sync hardened web assets into the Neutralino desktop resources and document local renderer security behavior.

Why

The previous audit score was 74/100. The largest remaining risks were deployment headers, desktop native API exposure, Live Share authorization, WebSocket Origin validation, Snapshot bearer-link privacy, STL validation, exported HTML hardening, and supply-chain integrity. This PR addresses or mitigates each reported item without intentionally removing supported features.

Validation

Performed locally:

  • node --check script.js
  • node --check preview-worker.js
  • node --check workers/live-room-worker.js
  • node --check functions/api/share/[[id]].js
  • node --check functions/live-room/[[room]].js
  • Share API boundary test: bad Origin rejected, same-origin create/read works, wrong delete token fails, correct delete token deletes.
  • Live Share boundary test: host/editor/viewer capabilities authenticate separately, viewer y-update is rejected, bad Origin is rejected.
  • Browser regression via local Chrome: app opens, Markdown preview updates, XSS payloads blocked, dangerous links stripped, Mermaid renders, ABC renders, valid STL renders, malformed STL is rejected, Share Snapshot creates/opens, view-only hides editor, HTML export has CSP/SRI, malicious export payload is sanitized, private mode blocks document persistence.
  • Export checks: PNG download passed and PDF raster download passed.
  • Desktop build: npm run build passed in desktop-app with the hardened Neutralino config and synced resources.

Notes

No local or remote CONTRIBUTING.md, contributing.md, CONTRIBUTION.md, contribution.md, or PR template file was present when preparing this PR, so this uses the standard summary/why/validation format.

@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
markdown-viwer Ready Ready Preview, Comment Jul 10, 2026 11:38am

@ThisIs-Developer ThisIs-Developer force-pushed the codex/security-remediation-hardening branch from 58fdaa3 to 413da47 Compare July 10, 2026 11:38
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 10, 2026

Copy link
Copy Markdown

Deploying markdownviewer with  Cloudflare Pages  Cloudflare Pages

Latest commit: 413da47
Status: ✅  Deploy successful!
Preview URL: https://aa018b09.markdownviewer.pages.dev
Branch Preview URL: https://codex-security-remediation-h.markdownviewer.pages.dev

View logs

@ThisIs-Developer ThisIs-Developer changed the title Harden security remediation fix(security): harden audit remediations Jul 10, 2026
@ThisIs-Developer ThisIs-Developer marked this pull request as ready for review July 10, 2026 11:40
@ThisIs-Developer ThisIs-Developer merged commit 1de2fd4 into main Jul 10, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant