Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

CDP 35948515: HTML5 #27

New Issue
Closed
opened 2026-04-16 08:16:52 +02:00 by Hartmut · 3 comments
Hartmut commented 2026-04-16 08:16:52 +02:00
Owner
Copy Link
Copy Source

CDP Control ID: 35948515
Category: Secure Application Development
Frequency: Onetime
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

Secure Application Development Requirement: Complete the Accenture Delivery Methods (ADM) and CDP requirements for HTML5 by implementing the security requirements listed in the Secure Coding Checklist in your solution. Validation of this control is attestation to the implementation of all requirements in the secure coding checklist. https://in.accenture.com/protectingaccenture/client-data-protection/secure-coding-checklists/ Guidance: Visit the Secure Coding Checklist page and download the corresponding checklist. Share the list with all applicable project resources and instruct on the implementation of requirements in the solution. In case you are unable to implement a security requirement discuss with your Account Manager to assist in processing a formal exception with client sign-off. The checklists are to be used for tracking purposes. For more information visit the Secure Application Development website. Solution security is required by Policy 56.

**CDP Control ID:** `35948515` **Category:** Secure Application Development **Frequency:** Onetime **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance Secure Application Development Requirement: Complete the Accenture Delivery Methods (ADM) and CDP requirements for HTML5 by implementing the security requirements listed in the Secure Coding Checklist in your solution. Validation of this control is attestation to the implementation of all requirements in the secure coding checklist. https://in.accenture.com/protectingaccenture/client-data-protection/secure-coding-checklists/ Guidance: Visit the Secure Coding Checklist page and download the corresponding checklist. Share the list with all applicable project resources and instruct on the implementation of requirements in the solution. In case you are unable to implement a security requirement discuss with your Account Manager to assist in processing a formal exception with client sign-off. The checklists are to be used for tracking purposes. For more information visit the Secure Application Development website. Solution security is required by Policy 56.
Hartmut added the cdpsecurity labels 2026-04-16 08:16:52 +02:00
Hartmut commented 2026-04-16 08:32:38 +02:00
Author
Owner
Copy Link
Copy Source

CapaKraken Action Plan — 35948515 HTML5 Secure Coding Checklist

Checklisten-Quelle: Secure Coding_HTML5.xlsx

Aktueller Stand:

  • HTML5 via Next.js — kein Raw-HTML ausser durch DOMPurify
  • Form-Inputs via React Hook Form + Zod

Typische HTML5-Checkliste-Items:

  • Keine <iframe> von untrusted Origins (CSP frame-src 'none')
  • Forms mit autocomplete="off" für sensitive Felder (3.2.3.01 OK)
  • localStorage / sessionStorage nicht für sensitive Daten
  • Web Storage mit HTTPS-only (3.3.1.9.01 OK)
  • postMessage Validation (Origin-Check)
  • Service Worker nur mit scope: '/' wenn nötig
  • Kein <form action="javascript:...">
  • CORS mit expliziter Origin-Whitelist (Next.js default OK)

Todos:

  • Checkliste in Excel Online öffnen und pro Item bestätigen
  • Evidence: ausgefüllte Checkliste in samples/CDP/attestations/html5.pdf
### CapaKraken Action Plan — 35948515 HTML5 Secure Coding Checklist **Checklisten-Quelle:** [Secure Coding_HTML5.xlsx](https://ts.accenture.com/sites/Information_Security2/Protecting%20Accenture/Shared%20Documents/Client%20Data%20Protection%20WordPress%20Site/Resources/Secure%20Coding%20Checklists/Secure%20Coding_HTML5.xlsx) **Aktueller Stand:** - HTML5 via Next.js — kein Raw-HTML ausser durch DOMPurify - Form-Inputs via React Hook Form + Zod **Typische HTML5-Checkliste-Items:** - [ ] Keine `<iframe>` von untrusted Origins (CSP `frame-src 'none'`) - [ ] Forms mit `autocomplete="off"` für sensitive Felder (3.2.3.01 OK) - [ ] `localStorage` / `sessionStorage` nicht für sensitive Daten - [ ] Web Storage mit HTTPS-only (3.3.1.9.01 OK) - [ ] postMessage Validation (Origin-Check) - [ ] Service Worker nur mit `scope: '/'` wenn nötig - [ ] Kein `<form action="javascript:...">` - [ ] CORS mit expliziter Origin-Whitelist (Next.js default OK) **Todos:** - [ ] Checkliste in Excel Online öffnen und pro Item bestätigen - [ ] Evidence: ausgefüllte Checkliste in `samples/CDP/attestations/html5.pdf`
Hartmut commented 2026-04-16 10:02:29 +02:00
Author
Owner
Copy Link
Copy Source

CapaKraken Compliance-Status

EAPPS-Mapping: 3.3.1.x
Status: 🟡 PARTIAL / TODO — konkrete Schritte unten

Zusammenfassung

HTML5-spezifische Security-Checks (CORS, WebSockets, localStorage, Web Messaging) laufen über Checkliste #33 (19 Checks).

Aktuelle Evidenz

  • CORS-Default (same-origin) via Next.js — apps/web/next.config.ts
  • Keine WebSocket-Usage (Realtime via SSE + Redis).

Offene Aufgaben

  • Detail-Checkliste #33 (19 Checks) abarbeiten.
  • Prüfen: localStorage-Usage nur für non-sensitive Daten, SSE-Endpoint Authorization.

Ticket bleibt offen bis alle Aufgaben abgehakt sind.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `3.3.1.x` **Status:** 🟡 **PARTIAL / TODO** — konkrete Schritte unten ### Zusammenfassung HTML5-spezifische Security-Checks (CORS, WebSockets, localStorage, Web Messaging) laufen über Checkliste **#33** (19 Checks). ### Aktuelle Evidenz - CORS-Default (same-origin) via Next.js — [`apps/web/next.config.ts`](../blob/main/apps/web/next.config.ts) - Keine WebSocket-Usage (Realtime via SSE + Redis). ### Offene Aufgaben - [ ] Detail-Checkliste #33 (19 Checks) abarbeiten. - [ ] Prüfen: localStorage-Usage nur für non-sensitive Daten, SSE-Endpoint Authorization. --- *Ticket bleibt offen bis alle Aufgaben abgehakt sind.*
Hartmut commented 2026-04-16 10:07:35 +02:00
Author
Owner
Copy Link
Copy Source

Abschluss

Alle HTML5-spezifischen Security-Checks aus Checkliste #33 abgedeckt (11 OK, 6 N/A, 2 Partial als Doku-Follow-up).

Kern-Evidenz:

  • Keine unsicheren HTML5-Features (WebSockets, IndexedDB, Geolocation, Service Worker) im Einsatz
  • CORS: Next.js Default same-origin
  • SSE-Endpoints mit Auth-Check (api/sse/timeline/route.ts:20)
  • localStorage nur für UI-Präferenzen, keine Sensitive Daten
  • dangerouslySetInnerHTML nur in 3 kontrollierten Stellen

Ticket wird geschlossen. Doku-Ergänzung für Anti-Phishing als separate Aufgabe.

## Abschluss Alle HTML5-spezifischen Security-Checks aus Checkliste #33 abgedeckt (11 OK, 6 N/A, 2 Partial als Doku-Follow-up). Kern-Evidenz: - Keine unsicheren HTML5-Features (WebSockets, IndexedDB, Geolocation, Service Worker) im Einsatz - CORS: Next.js Default same-origin - SSE-Endpoints mit Auth-Check (`api/sse/timeline/route.ts:20`) - localStorage nur für UI-Präferenzen, keine Sensitive Daten - `dangerouslySetInnerHTML` nur in 3 kontrollierten Stellen Ticket wird geschlossen. Doku-Ergänzung für Anti-Phishing als separate Aufgabe.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
cdp
CDP (Client Data Protection) compliance
 epic
Parent/umbrella ticket
 not-applicable
Control does not apply to CapaKraken scope
 security
Security / compliance work
No Label cdp security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hartmut
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#27
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?