Skip to content

feat(gateway): harden VNC tunnel security with HMAC tokens and security headers#29

Merged
zooqueen merged 1 commit intomainfrom
feat/vnc-security-hardening
Feb 25, 2026
Merged

feat(gateway): harden VNC tunnel security with HMAC tokens and security headers#29
zooqueen merged 1 commit intomainfrom
feat/vnc-security-hardening

Conversation

@zooqueen
Copy link

@zooqueen zooqueen commented Feb 25, 2026

Summary

  • HMAC-signed tunnel tokens: VNC tunnel IDs are now signed with a per-instance HMAC-SHA256 key. The /vnc-tunnel endpoint verifies the signature with constant-time comparison before accepting connections. This adds defense-in-depth (UUID randomness + HMAC + 15s expiry + one-time use).
  • Security headers on /vnc-viewer: Referrer-Policy (prevents gateway token leaking via HTTP Referer), CSP (restricts scripts to esm.sh only, WebSocket to gateway host only), HSTS, X-Frame-Options: DENY, Cache-Control: no-store.
  • HTML meta referrer tag: Defense-in-depth for older browsers that don't respect the HTTP header.

Security Model

Layer Protection
TLS (nginx-ingress) Encrypted transport, prevents eavesdropping
Gateway token auth authorizeCanvasRequest with timing-safe comparison + rate limiting
HMAC tunnel tokens Cryptographic proof tunnel was issued by this gateway instance
15s tunnel expiry Time-bounded attack window
One-time tunnel use Token deleted after first use
CSP Prevents XSS, restricts script/connect origins
Referrer-Policy Prevents token leaking via HTTP Referer header
HSTS Forces HTTPS, prevents downgrade attacks
X-Frame-Options Prevents clickjacking
Cache-Control Prevents token caching in proxies/browsers

Test plan

  • CI passes (lint + build)
  • VNC viewer loads at /vnc-viewer?token=...&nodeId=...
  • VNC tunnel connects successfully (HMAC-signed token accepted by node callback)
  • Invalid/tampered tunnel IDs rejected with 403
  • Security headers present in /vnc-viewer response (verify with curl -I)
  • No Referer header sent when navigating away from VNC viewer

🤖 Generated with Claude Code

@zooqueen @claude
feat(gateway): harden VNC tunnel security with HMAC-signed tokens and…
33816ad 
… security headers (#29)

- Add per-instance HMAC-SHA256 signing key for VNC tunnel tokens
  (defense-in-depth against tunnel ID brute-force)
- Verify HMAC signature before accepting /vnc-tunnel connections
  with constant-time comparison to prevent timing attacks
- Add security headers to /vnc-viewer response:
  Referrer-Policy: no-referrer (prevents token leaking)
  X-Frame-Options: DENY (prevents clickjacking)
  Strict-Transport-Security (enforces HTTPS)
  Content-Security-Policy (restricts script sources to esm.sh)
  Cache-Control: no-store (prevents token caching)
- Add <meta name="referrer" content="no-referrer"/> to viewer HTML

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@zooqueen zooqueen merged commit 48861bf into main Feb 25, 2026
18 of 20 checks passed
zooqueen added a commit that referenced this pull request Feb 25, 2026
@zooqueen @claude
fix(gateway): add CSP nonce for VNC viewer inline script and style (#30)
7cc561f 
The CSP header added in #29 blocked the inline <script> and <style>
tags in the VNC viewer HTML, causing a white screen. Generate a
per-request cryptographic nonce and include it in both the CSP header
(script-src/style-src) and the HTML tags (nonce="...").

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@zooqueen zooqueen mentioned this pull request Feb 25, 2026
Merged
4 tasks
zooqueen added a commit that referenced this pull request Feb 25, 2026
@zooqueen @claude
fix(gateway): add CSP nonce for VNC viewer inline script and style (#30
b87d7d0 
…) (#30)

The CSP header added in #29 blocked the inline <script> and <style>
tags in the VNC viewer HTML, causing a white screen. Generate a
per-request cryptographic nonce and include it in both the CSP header
(script-src/style-src) and the HTML tags (nonce="...").

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
zooqueen added a commit that referenced this pull request Mar 6, 2026
@zooqueen
feat(gateway): harden VNC tunnel security with HMAC-signed tokens and…
4aefd92 
… security headers (#29) (#29)

- Add per-instance HMAC-SHA256 signing key for VNC tunnel tokens
  (defense-in-depth against tunnel ID brute-force)
- Verify HMAC signature before accepting /vnc-tunnel connections
  with constant-time comparison to prevent timing attacks
- Add security headers to /vnc-viewer response:
  Referrer-Policy: no-referrer (prevents token leaking)
  X-Frame-Options: DENY (prevents clickjacking)
  Strict-Transport-Security (enforces HTTPS)
  Content-Security-Policy (restricts script sources to esm.sh)
  Cache-Control: no-store (prevents token caching)
- Add <meta name="referrer" content="no-referrer"/> to viewer HTML
zooqueen added a commit that referenced this pull request Mar 6, 2026
@zooqueen
fix(gateway): add CSP nonce for VNC viewer inline script and style (#30
0d9e755 
…) (#30)

The CSP header added in #29 blocked the inline <script> and <style>
tags in the VNC viewer HTML, causing a white screen. Generate a
per-request cryptographic nonce and include it in both the CSP header
(script-src/style-src) and the HTML tags (nonce="...").
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zooqueen