Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

CDP 35948520/Checkliste HTML5: 19 Web App Security Checks #33

New Issue
Closed
opened 2026-04-16 09:56:09 +02:00 by Hartmut · 2 comments
Hartmut commented 2026-04-16 09:56:09 +02:00
Owner
Copy Link
Copy Source

Quelle

Checkliste (19 Checks)

Phase: Build

Configuration

  • Verify that secure web messaging is enabled.
    window.postMessage wird nicht verwendet.
  • Verify that cross origin resource sharing parameters are configured securely.
    Next.js Default = same-origin; keine öffentlichen CORS-Endpunkte (next.config.ts).
  • Ensure that web socket communication and validation for data is done
    Keine WebSockets — Realtime-Kommunikation via SSE + Redis.
  • Verify that Server-sent event feature is enabled securely
    SSE-Endpoints mit Auth-Check (apps/web/src/app/api/sse/timeline/route.ts:20).
  • Verify that local storage is used securely
    localStorage nur für UI-Präferenzen (useViewPrefs, useTheme, useColumnConfig) — keine Credentials/Session-Daten.
  • Verify that client side databases are configured securely
    Keine IndexedDB / WebSQL im Einsatz.
  • Ensure that privacy has been taken care while using geolocation settings
    Geolocation API wird nicht verwendet.
  • Verify that application is able to prevent phishing attack
    🟡 Generic Error-Messages + MFA-Option vorhanden. TODO: Anti-Phishing explizit in Security-Architecture dokumentieren.
  • Verify that sanboxing is used safely
    Keine Drittanbieter-iframes (sandbox-Attribut nicht relevant).
  • Verify that offline requests has been taken care properly
    Kein PWA-Offline-Support / Service Worker aktiv.
  • Verify that access filter is configured properly and securely
    Auth-Middleware schützt alle Routen (apps/web/src/middleware.ts).
  • Verify that authentication exchange has been configured securely
    Auth.js Credentials-Provider, HTTPS, HttpOnly-Cookies.
  • Verify that authentication message handler has been configured securely
    Auth.js Callbacks + Zod-Input-Validation.
  • Ensure to implement JWT token for authentication
    🟡 Kein JWT im Client — stattdessen server-side Sessions (HttpOnly-Cookie, strategy: 'jwt' intern für Edge, aber nicht Client-sichtbar). Sicherer als Client-JWT.
  • Verify that defined structured is implemented for authentication message
    Zod-Schemas definieren Struktur aller Auth-Payloads.
  • Ensure that all messages received and sent by the endpoint strictly respect the expected structure and content.
    Alle tRPC-Procedures mit Zod-Input + typed Output.
  • Verify that token expiration has been implemented or not
    Session maxAge=8h, updateAge=30min (auth.config.ts:13).
  • Verify that message handling has been configured securely or not
    Siehe Auth-Exchange + Input-Validation.
  • Ensure that the confidentiality and integrity is maintained
    HTTPS (TLS1.2+) + HttpOnly/Secure/SameSite-Strict Cookies + CSP-Header.
## Quelle - **xlsx:** `samples/CDP/checklists/html5.xlsx` - **Parent-Control:** #27 - **Epic:** #1 - **Zweck:** Detail-Security-Checks zur Validierung der Accenture CDP Web Application Standards auf Code-/Architektur-Ebene. ## Checkliste (19 Checks) ### Phase: Build #### Configuration - [x] Verify that secure web messaging is enabled. ⚪ *`window.postMessage` wird nicht verwendet.* - [x] Verify that cross origin resource sharing parameters are configured securely. ✅ *Next.js Default = same-origin; keine öffentlichen CORS-Endpunkte (`next.config.ts`).* - [x] Ensure that web socket communication and validation for data is done ⚪ *Keine WebSockets — Realtime-Kommunikation via SSE + Redis.* - [x] Verify that Server-sent event feature is enabled securely ✅ *SSE-Endpoints mit Auth-Check (`apps/web/src/app/api/sse/timeline/route.ts:20`).* - [x] Verify that local storage is used securely ✅ *localStorage nur für UI-Präferenzen (`useViewPrefs`, `useTheme`, `useColumnConfig`) — **keine** Credentials/Session-Daten.* - [x] Verify that client side databases are configured securely ⚪ *Keine IndexedDB / WebSQL im Einsatz.* - [x] Ensure that privacy has been taken care while using geolocation settings ⚪ *Geolocation API wird nicht verwendet.* - [ ] Verify that application is able to prevent phishing attack 🟡 *Generic Error-Messages + MFA-Option vorhanden. **TODO**: Anti-Phishing explizit in Security-Architecture dokumentieren.* - [x] Verify that sanboxing is used safely ⚪ *Keine Drittanbieter-iframes (`sandbox`-Attribut nicht relevant).* - [x] Verify that offline requests has been taken care properly ⚪ *Kein PWA-Offline-Support / Service Worker aktiv.* - [x] Verify that access filter is configured properly and securely ✅ *Auth-Middleware schützt alle Routen (`apps/web/src/middleware.ts`).* - [x] Verify that authentication exchange has been configured securely ✅ *Auth.js Credentials-Provider, HTTPS, HttpOnly-Cookies.* - [x] Verify that authentication message handler has been configured securely ✅ *Auth.js Callbacks + Zod-Input-Validation.* - [ ] Ensure to implement JWT token for authentication 🟡 *Kein JWT im Client — stattdessen **server-side Sessions** (HttpOnly-Cookie, `strategy: 'jwt'` intern für Edge, aber nicht Client-sichtbar). Sicherer als Client-JWT.* - [x] Verify that defined structured is implemented for authentication message ✅ *Zod-Schemas definieren Struktur aller Auth-Payloads.* - [x] Ensure that all messages received and sent by the endpoint strictly respect the expected structure and content. ✅ *Alle tRPC-Procedures mit Zod-Input + typed Output.* - [x] Verify that token expiration has been implemented or not ✅ *Session maxAge=8h, updateAge=30min (`auth.config.ts:13`).* - [x] Verify that message handling has been configured securely or not ✅ *Siehe Auth-Exchange + Input-Validation.* - [x] Ensure that the confidentiality and integrity is maintained ✅ *HTTPS (TLS1.2+) + HttpOnly/Secure/SameSite-Strict Cookies + CSP-Header.*
Hartmut added the cdpsecurity labels 2026-04-16 09:56:09 +02:00
Hartmut commented 2026-04-16 10:06:37 +02:00
Author
Owner
Copy Link
Copy Source

Review-Ergebnis

Detail-Analyse aller 19 Checks aus samples/CDP/checklists/html5.xlsx gegen CapaKraken-Code und docs/acn-security-compliance-status.md.

Status Anzahl Legende
OK 11 Implementiert + Evidenz im Ticket-Body inline vermerkt
🟡 PARTIAL 2 Grundschutz vorhanden, formaler Restpunkt offen
🔴 GAP 0 Nicht implementiert — konkrete TODOs unten
N/A 6 Nicht anwendbar für CapaKraken
Total 19

🟡 Partials — Follow-up sinnvoll

  • Verify that application is able to prevent phishing attack — Generic Error-Messages + MFA-Option vorhanden. TODO: Anti-Phishing explizit in Security-Architecture dokumentieren.
  • Ensure to implement JWT token for authentication — Kein JWT im Client — stattdessen server-side Sessions (HttpOnly-Cookie, strategy: 'jwt' intern für Edge, aber nicht Client-sichtbar). Sicherer als Client-JWT.

Empfehlung:
Keine echten Gaps. 2 Partials als Follow-ups tracken, Ticket kann dann geschlossen werden.

## Review-Ergebnis Detail-Analyse aller 19 Checks aus `samples/CDP/checklists/html5.xlsx` gegen CapaKraken-Code und [`docs/acn-security-compliance-status.md`](../blob/main/docs/acn-security-compliance-status.md). | Status | Anzahl | Legende | |--------|--------|---------| | ✅ OK | 11 | Implementiert + Evidenz im Ticket-Body inline vermerkt | | 🟡 PARTIAL | 2 | Grundschutz vorhanden, formaler Restpunkt offen | | 🔴 GAP | 0 | Nicht implementiert — konkrete TODOs unten | | ⚪ N/A | 6 | Nicht anwendbar für CapaKraken | | **Total** | **19** | | ### 🟡 Partials — Follow-up sinnvoll - **Verify that application is able to prevent phishing attack** — Generic Error-Messages + MFA-Option vorhanden. **TODO**: Anti-Phishing explizit in Security-Architecture dokumentieren. - **Ensure to implement JWT token for authentication** — Kein JWT im Client — stattdessen **server-side Sessions** (HttpOnly-Cookie, `strategy: 'jwt'` intern für Edge, aber nicht Client-sichtbar). Sicherer als Client-JWT. --- **Empfehlung:** Keine echten Gaps. 2 Partials als Follow-ups tracken, Ticket kann dann geschlossen werden.
Hartmut commented 2026-04-16 10:07:34 +02:00
Author
Owner
Copy Link
Copy Source

Abschluss

11 OK + 6 N/A (nicht genutzte HTML5-Features) + 2 🟡 Partial:

  • Anti-Phishing-Dokumentation → tracking im Parent-Ticket #27 oder als Einzel-Follow-up
  • JWT vs. Server-Sessions → Architektur-Entscheidung, sicherer als Client-JWT (kein Gap)

Keine echten Gaps. Ticket wird geschlossen, verbleibende Punkte laufen als Doku-Follow-up.

## Abschluss 11 ✅ OK + 6 ⚪ N/A (nicht genutzte HTML5-Features) + 2 🟡 Partial: - **Anti-Phishing-Dokumentation** → tracking im Parent-Ticket #27 oder als Einzel-Follow-up - **JWT vs. Server-Sessions** → Architektur-Entscheidung, sicherer als Client-JWT (kein Gap) Keine echten Gaps. Ticket wird geschlossen, verbleibende Punkte laufen als Doku-Follow-up.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
cdp
CDP (Client Data Protection) compliance
 epic
Parent/umbrella ticket
 not-applicable
Control does not apply to CapaKraken scope
 security
Security / compliance work
No Label cdp security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hartmut
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#33
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?