Skip to content

feat: frontend security hardening -- actionable items #924

Closed
#926
Closed
feat: frontend security hardening -- actionable items#924
#926
Labels
prio:highImportant, should be prioritizedscope:smallLess than 1 day of workscope:webVue 3 dashboardtype:featureNew feature implementationv0.5Minor version v0.5v0.5.1Patch release v0.5.1
@Aureliolo

Description

@Aureliolo
Aureliolo
opened on Mar 30, 2026

Context

Extracted from #820, which bundled 5 security items from the PR #819 review. After analysis, 2 items are already done or moot, 1 is blocked on upstream (tracked separately), and the remaining actionable items are collected here.

Items

1. ESLint rule to ban dangerouslySetInnerHTML

Pages will render user-controlled content (agent names, task titles, messages, provider labels). A lint rule catches accidental XSS vectors at write time.

Action: Add no-restricted-syntax rule to web/eslint.config.js to flag dangerouslySetInnerHTML. Allow with explicit // eslint-disable-next-line + justification comment.

Note: Zero current usages in the codebase (verified via grep).

2. Add <MotionConfig nonce> for CSP compliance

Framer Motion's PopChild (used by AnimatePresence exit animations) injects a <style> tag that violates CSP without unsafe-inline. Since v11.0.9 (March 2024), this is fixable by wrapping the app with <MotionConfig nonce="...">.

Since we're a client-side SPA (no SSR), the core animation engine (element.style.prop = value) is already CSP-safe. Only the PopChild <style> injection needs the nonce.

Action: Add <MotionConfig nonce={...}> wrapper in the app shell. The nonce can be read from a <meta> tag set by the nginx config, or generated client-side if no SSR is involved.

Items from #820 that are done or moot

# Item Status
1 httpOnly cookies Separate concern -- full auth rework, not a hardening patch. Track when cookie-based auth is prioritized.
3 Remove unsafe-inline CSP Blocked on Radix UI upstream (tracked in dedicated issue)
4 Validate returnTo param Moot -- no returnTo parameter exists in the codebase. Validation should be part of whatever feature adds redirect-after-login.
5 Setup endpoint idempotency Already implemented -- check_setup_not_complete() in setup_helpers.py:384-392 raises ConflictError.

Acceptance criteria

  • ESLint rule banning dangerouslySetInnerHTML added and passing
  • <MotionConfig nonce> integrated in app shell
  • Verify no existing code violates the new ESLint rule

Supersedes #820.

Metadata

Metadata

Assignees

No one assigned

    Labels

    prio:highImportant, should be prioritizedscope:smallLess than 1 day of workscope:webVue 3 dashboardtype:featureNew feature implementationv0.5Minor version v0.5v0.5.1Patch release v0.5.1

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions