CDP 35948520/Checkliste ReactJs: 8 Web App Security Checks #35

New Issue

Closed

opened 2026-04-16 09:56:09 +02:00 by Hartmut · 2 comments

Hartmut commented 2026-04-16 09:56:09 +02:00

Owner

Copy Link

Copy Source

Quelle

• xlsx: samples/CDP/checklists/reactjs.xlsx
• Parent-Control: CDP 35948517: ReactJs (#26)
• Epic: CDP Compliance Epic — alle Controls (#1)
• Zweck: Detail-Security-Checks zur Validierung der Accenture CDP Web Application Standards auf Code-/Architektur-Ebene.

Checkliste (8 Checks)

Phase: Build

Configuration

• Ensure that latest secure version of React is being used
  ✅ React 19.0.0 (apps/web/package.json) — aktuelle stable.
• Ensure that vulnerable third-party React component libraries are not used by the application.
  ✅ Dependabot + Nightly pnpm audit --audit-level=high (.github/workflows/nightly-security.yml).
• Ensure to filter all user input data passed to React element through props
  ✅ TypeScript + Zod-Schemas auf tRPC-Input; React escapt Strings automatisch.
• Serialize attacker controlled JSON to prevent XSS attacks
  ✅ React escapt automatisch; JSON.stringify in getrennten Kontexten (kein inline-JSON in HTML-Attributen).
• Ensure to maintain right/role based authorization into the application
  ✅ 5-stufiges RBAC + PermissionKey[] Overrides (system_role_configs + Middleware).
• Ensure that use of 'dangerouslySetInnerHTML' doesn't lead to XSS attacks
  ✅ Nur 3 kontrollierte Stellen: layout.tsx (Theme-Bootstrap-Script, server-generated), Sparkline.tsx + ShimmerSkeleton.tsx (kein User-Input).
• Ensure that proper cache-control has been set for index.html and for the files within build/static.
  🟡 Cache-Control: no-store global gesetzt. TODO (siehe docs/performance-optimization-review-2026-03-18.md): _next/static/* ausnehmen (langlebige hashed Assets sollten public, max-age=31536000, immutable haben).
• Ensure that react-router is used for protecting privite and protected part of the application
  ✅ Äquivalent: Next.js App Router + middleware.ts schützt alle private Routen.

## Quelle - **xlsx:** `samples/CDP/checklists/reactjs.xlsx` - **Parent-Control:** #26 - **Epic:** #1 - **Zweck:** Detail-Security-Checks zur Validierung der Accenture CDP Web Application Standards auf Code-/Architektur-Ebene. ## Checkliste (8 Checks) ### Phase: Build #### Configuration - [x] Ensure that latest secure version of React is being used ✅ *React 19.0.0 (`apps/web/package.json`) — aktuelle stable.* - [x] Ensure that vulnerable third-party React component libraries are not used by the application. ✅ *Dependabot + Nightly `pnpm audit --audit-level=high` (`.github/workflows/nightly-security.yml`).* - [x] Ensure to filter all user input data passed to React element through props ✅ *TypeScript + Zod-Schemas auf tRPC-Input; React escapt Strings automatisch.* - [x] Serialize attacker controlled JSON to prevent XSS attacks ✅ *React escapt automatisch; `JSON.stringify` in getrennten Kontexten (kein inline-JSON in HTML-Attributen).* - [x] Ensure to maintain right/role based authorization into the application ✅ *5-stufiges RBAC + `PermissionKey[]` Overrides (`system_role_configs` + Middleware).* - [x] Ensure that use of 'dangerouslySetInnerHTML' doesn't lead to XSS attacks ✅ *Nur 3 kontrollierte Stellen: `layout.tsx` (Theme-Bootstrap-Script, server-generated), `Sparkline.tsx` + `ShimmerSkeleton.tsx` (kein User-Input).* - [ ] Ensure that proper cache-control has been set for index.html and for the files within build/static. 🟡 *`Cache-Control: no-store` global gesetzt. **TODO (siehe `docs/performance-optimization-review-2026-03-18.md`)**: `_next/static/*` ausnehmen (langlebige hashed Assets sollten `public, max-age=31536000, immutable` haben).* - [x] Ensure that react-router is used for protecting privite and protected part of the application ✅ *Äquivalent: Next.js App Router + `middleware.ts` schützt alle private Routen.*

Hartmut added the cdpsecurity labels 2026-04-16 09:56:09 +02:00

Hartmut referenced this issue 2026-04-16 09:56:20 +02:00

CDP Compliance Epic — alle Controls #1

Hartmut referenced this issue 2026-04-16 10:02:29 +02:00

CDP 35948520: Web Application #25

Hartmut referenced this issue 2026-04-16 10:02:29 +02:00

CDP 35948517: ReactJs #26

Hartmut commented 2026-04-16 10:06:38 +02:00

Author

Owner

Copy Link

Copy Source

Review-Ergebnis

Detail-Analyse aller 8 Checks aus samples/CDP/checklists/reactjs.xlsx gegen CapaKraken-Code und docs/acn-security-compliance-status.md.

Status	Anzahl	Legende
✅ OK	7	Implementiert + Evidenz im Ticket-Body inline vermerkt
🟡 PARTIAL	1	Grundschutz vorhanden, formaler Restpunkt offen
🔴 GAP	0	Nicht implementiert — konkrete TODOs unten
⚪ N/A	0	Nicht anwendbar für CapaKraken
Total	8

🟡 Partials — Follow-up sinnvoll

• Ensure that proper cache-control has been set for index.html — Cache-Control: no-store global gesetzt. TODO (siehe docs/performance-optimization-review-2026-03-18.md): _next/static/* ausnehmen (langlebige hashed Assets sollten public, max-age=31536000, immutable haben).

---

Empfehlung:
Keine echten Gaps. 1 Partials als Follow-ups tracken, Ticket kann dann geschlossen werden.

## Review-Ergebnis Detail-Analyse aller 8 Checks aus `samples/CDP/checklists/reactjs.xlsx` gegen CapaKraken-Code und [`docs/acn-security-compliance-status.md`](../blob/main/docs/acn-security-compliance-status.md). | Status | Anzahl | Legende | |--------|--------|---------| | ✅ OK | 7 | Implementiert + Evidenz im Ticket-Body inline vermerkt | | 🟡 PARTIAL | 1 | Grundschutz vorhanden, formaler Restpunkt offen | | 🔴 GAP | 0 | Nicht implementiert — konkrete TODOs unten | | ⚪ N/A | 0 | Nicht anwendbar für CapaKraken | | **Total** | **8** | | ### 🟡 Partials — Follow-up sinnvoll - **Ensure that proper cache-control has been set for index.html** — `Cache-Control: no-store` global gesetzt. **TODO (siehe `docs/performance-optimization-review-2026-03-18.md`)**: `_next/static/*` ausnehmen (langlebige hashed Assets sollten `public, max-age=31536000, immutable` haben). --- **Empfehlung:** Keine echten Gaps. 1 Partials als Follow-ups tracken, Ticket kann dann geschlossen werden.

Hartmut commented 2026-04-16 10:07:34 +02:00

Author

Owner

Copy Link

Copy Source

Abschluss

7 von 8 Checks sind ✅ OK. Die eine 🟡 Partial (Cache-Control für _next/static/*) ist kein Security-Gap, sondern eine Performance-Optimierung und wird bereits in docs/performance-optimization-review-2026-03-18.md getrackt.

Ticket wird geschlossen — Performance-TODO läuft separat.

## Abschluss 7 von 8 Checks sind ✅ OK. Die eine 🟡 Partial (Cache-Control für `_next/static/*`) ist kein Security-Gap, sondern eine **Performance-Optimierung** und wird bereits in `docs/performance-optimization-review-2026-03-18.md` getrackt. Ticket wird geschlossen — Performance-TODO läuft separat.

Hartmut closed this issue 2026-04-16 10:07:34 +02:00

Hartmut referenced this issue 2026-04-16 10:07:34 +02:00

CDP 35948517: ReactJs #26

Hartmut referenced this issue 2026-04-16 10:16:34 +02:00

CDP 35948520: Web Application #25

Hartmut referenced this issue 2026-04-16 10:20:06 +02:00

CDP 35948464: General #17

Hartmut referenced this issue 2026-04-16 10:20:07 +02:00

CDP Compliance Epic — alle Controls #1

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

security/password-policy-blacklist

security/audit-2026-04-17

pre-rename-backup

Labels

Clear labels

cdp

CDP (Client Data Protection) compliance

epic

Parent/umbrella ticket

not-applicable

Control does not apply to CapaKraken scope

security

Security / compliance work

No Label cdp security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hartmut

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#35