Problem Statement
The Helmet CSP in api/src/main.ts:25 permits 'unsafe-inline' for styles to support Swagger UI. This weakens the Content Security Policy globally for all API responses, including non-Swagger routes.
Evidence
styleSrc: ["'self'", "'unsafe-inline'"],
Impact
XSS attacks that inject <style> tags or use inline style attributes may bypass CSP. The unsafe-inline directive weakens the primary defense against CSS injection attacks.
Proposed Solution
- Serve Swagger UI under
/docs with a separate, relaxed CSP (using a route-specific middleware or helmet.route-specific config)
- Remove
'unsafe-inline' from the global CSP
- Add nonce-based inline style support if needed
Acceptance Criteria
File Map
api/src/main.ts — tighten global CSPapi/src/swagger-csp.middleware.ts — new relaxed CSP for /docs
Labels: security
Priority: Low | Difficulty: Intermediate | Estimated Effort: 1d
Labels: security
Priority: Low | Difficulty: Intermediate | Estimated Effort: 1d
Backlog ID: REPO-040
Problem Statement
The Helmet CSP in
api/src/main.ts:25permits'unsafe-inline'for styles to support Swagger UI. This weakens the Content Security Policy globally for all API responses, including non-Swagger routes.Evidence
Impact
XSS attacks that inject
<style>tags or use inline style attributes may bypass CSP. The unsafe-inline directive weakens the primary defense against CSS injection attacks.Proposed Solution
/docswith a separate, relaxed CSP (using a route-specific middleware or helmet.route-specific config)'unsafe-inline'from the global CSPAcceptance Criteria
'unsafe-inline'File Map
api/src/main.ts— tighten global CSPapi/src/swagger-csp.middleware.ts— new relaxed CSP for /docsLabels: security
Priority: Low | Difficulty: Intermediate | Estimated Effort: 1d
Labels: security
Priority: Low | Difficulty: Intermediate | Estimated Effort: 1d
Backlog ID: REPO-040