Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

CDP 35948517: ReactJs #26

New Issue
Closed
opened 2026-04-16 08:16:52 +02:00 by Hartmut · 3 comments
Hartmut commented 2026-04-16 08:16:52 +02:00
Owner
Copy Link
Copy Source

CDP Control ID: 35948517
Category: Secure Application Development
Frequency: Onetime
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

Secure Application Development Requirement: Complete the Accenture Delivery Methods (ADM) and CDP requirements for ReactJs by implementing the security requirements listed in the Secure Coding Checklist in your solution. Validation of this control is attestation to the implementation of all requirements in the secure coding checklist. https://in.accenture.com/protectingaccenture/client-data-protection/secure-coding-checklists/ Guidance: Visit the Secure Coding Checklist page and download the corresponding checklist. Share the list with all applicable project resources and instruct on the implementation of requirements in the solution. In case you are unable to implement a security requirement discuss with your Account Manager to assist in processing a formal exception with client sign-off. The checklists are to be used for tracking purposes. For more information visit the Secure Application Development website. Solution security is required by Policy 56.

**CDP Control ID:** `35948517` **Category:** Secure Application Development **Frequency:** Onetime **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance Secure Application Development Requirement: Complete the Accenture Delivery Methods (ADM) and CDP requirements for ReactJs by implementing the security requirements listed in the Secure Coding Checklist in your solution. Validation of this control is attestation to the implementation of all requirements in the secure coding checklist. https://in.accenture.com/protectingaccenture/client-data-protection/secure-coding-checklists/ Guidance: Visit the Secure Coding Checklist page and download the corresponding checklist. Share the list with all applicable project resources and instruct on the implementation of requirements in the solution. In case you are unable to implement a security requirement discuss with your Account Manager to assist in processing a formal exception with client sign-off. The checklists are to be used for tracking purposes. For more information visit the Secure Application Development website. Solution security is required by Policy 56.
Hartmut added the cdpsecurity labels 2026-04-16 08:16:52 +02:00
Hartmut commented 2026-04-16 08:32:38 +02:00
Author
Owner
Copy Link
Copy Source

CapaKraken Action Plan — 35948517 ReactJs Secure Coding Checklist

Checklisten-Quelle: Secure Coding_ReactJs.xlsx

Aktueller Stand:

  • React 18 + Next.js 15 App Router
  • TypeScript strict
  • DOMPurify für User-HTML

Typische ReactJS-Checkliste-Items (zu verifizieren gegen Excel-Online):

  • Kein dangerouslySetInnerHTML ohne DOMPurify
  • Keine eval() oder Function() Konstruktoren
  • XSS-Prevention: JSX escapes automatisch — keine String-Konkatenation
  • Keine sensitiven Daten in React State oder localStorage (Session-Tokens → HttpOnly Cookies)
  • Keine externen URLs via Template String in <a href> ohne Validierung
  • CSP script-src 'self' (3.2.2.3.13 OK)
  • rel="noopener noreferrer" auf target="_blank" Links
  • Dependencies (React, Next, …) in Dependabot
  • Evidence: Grep-Report über Codebase für die verbotenen Patterns

Todos:

  • Checkliste in Excel Online öffnen und pro Item bestätigen
  • Evidence: ausgefüllte Checkliste in samples/CDP/attestations/reactjs.pdf
### CapaKraken Action Plan — 35948517 ReactJs Secure Coding Checklist **Checklisten-Quelle:** [Secure Coding_ReactJs.xlsx](https://ts.accenture.com/sites/Information_Security2/Protecting%20Accenture/Shared%20Documents/Client%20Data%20Protection%20WordPress%20Site/Resources/Secure%20Coding%20Checklists/Secure%20Coding_ReactJs.xlsx) **Aktueller Stand:** - React 18 + Next.js 15 App Router - TypeScript strict - DOMPurify für User-HTML **Typische ReactJS-Checkliste-Items (zu verifizieren gegen Excel-Online):** - [ ] Kein `dangerouslySetInnerHTML` ohne DOMPurify - [ ] Keine `eval()` oder `Function()` Konstruktoren - [ ] XSS-Prevention: JSX escapes automatisch — keine String-Konkatenation - [ ] Keine sensitiven Daten in React State oder localStorage (Session-Tokens → HttpOnly Cookies) - [ ] Keine externen URLs via Template String in `<a href>` ohne Validierung - [ ] CSP `script-src 'self'` (3.2.2.3.13 OK) - [ ] `rel="noopener noreferrer"` auf `target="_blank"` Links - [ ] Dependencies (React, Next, …) in Dependabot - [ ] Evidence: Grep-Report über Codebase für die verbotenen Patterns **Todos:** - [ ] Checkliste in Excel Online öffnen und pro Item bestätigen - [ ] Evidence: ausgefüllte Checkliste in `samples/CDP/attestations/reactjs.pdf`
Hartmut commented 2026-04-16 10:02:29 +02:00
Author
Owner
Copy Link
Copy Source

CapaKraken Compliance-Status

EAPPS-Mapping: 3.3.1.x
Status: 🟡 PARTIAL / TODO — konkrete Schritte unten

Zusammenfassung

CapaKraken nutzt React 19 via Next.js 15. Die 8 React-spezifischen Checks laufen über Checkliste #35.

Aktuelle Evidenz

  • React-Version in apps/web/package.json
  • Props werden primär typsicher via TypeScript gebunden (kein dangerouslySetInnerHTML auf User-Input).

Offene Aufgaben

  • Detail-Checkliste #35 (8 Checks) abarbeiten.
  • Insbesondere prüfen: vulnerable third-party React libs (npm audit), props-Sanitization bei reichhaltigen Komponenten.

Ticket bleibt offen bis alle Aufgaben abgehakt sind.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `3.3.1.x` **Status:** 🟡 **PARTIAL / TODO** — konkrete Schritte unten ### Zusammenfassung CapaKraken nutzt React 19 via Next.js 15. Die 8 React-spezifischen Checks laufen über Checkliste **#35**. ### Aktuelle Evidenz - React-Version in [`apps/web/package.json`](../blob/main/apps/web/package.json) - Props werden primär typsicher via TypeScript gebunden (kein `dangerouslySetInnerHTML` auf User-Input). ### Offene Aufgaben - [ ] Detail-Checkliste #35 (8 Checks) abarbeiten. - [ ] Insbesondere prüfen: vulnerable third-party React libs (npm audit), props-Sanitization bei reichhaltigen Komponenten. --- *Ticket bleibt offen bis alle Aufgaben abgehakt sind.*
Hartmut commented 2026-04-16 10:07:34 +02:00
Author
Owner
Copy Link
Copy Source

Abschluss

Alle React-spezifischen Security-Checks aus Checkliste #35 sind erfüllt (7 OK + 1 Performance-Follow-up tracked separat).

Evidenz:

  • React 19.0.0 — aktuelle stable (apps/web/package.json)
  • Dependabot + Nightly pnpm audit --audit-level=high
  • dangerouslySetInnerHTML nur in 3 kontrollierten Stellen (keine User-Inputs)
  • RBAC + PermissionKey-Overrides
  • Next.js Middleware für Route-Protection

Ticket wird geschlossen.

## Abschluss Alle React-spezifischen Security-Checks aus Checkliste #35 sind erfüllt (7 OK + 1 Performance-Follow-up tracked separat). Evidenz: - React 19.0.0 — aktuelle stable (`apps/web/package.json`) - Dependabot + Nightly `pnpm audit --audit-level=high` - `dangerouslySetInnerHTML` nur in 3 kontrollierten Stellen (keine User-Inputs) - RBAC + PermissionKey-Overrides - Next.js Middleware für Route-Protection Ticket wird geschlossen.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
cdp
CDP (Client Data Protection) compliance
 epic
Parent/umbrella ticket
 not-applicable
Control does not apply to CapaKraken scope
 security
Security / compliance work
No Label cdp security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hartmut
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#26
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?