fix: security hardening - XSS, CORS, and cache headers #1

Merged

jperera merged 1 commit from fix/security-hardening into main 2026-04-02 20:02:19 +02:00

Conversation 0 Commits 1 Files changed 2 +22 -5

jperera commented 2026-04-02 19:53:31 +02:00

Owner

Copy link

Summary

• XSS fix: Escape JSON data injected into <script> tags to prevent XSS via </script> breakout in station names (render.ts)
• CORS headers: Add Access-Control-Allow-Origin: * to all JSON API responses (server.ts)
• Cache headers: Add Cache-Control headers to static files (CSS: 1h, favicon: 24h) (server.ts)

Details

Station names from the API are embedded directly into JavaScript via JSON.stringify(). A station name containing </script> could break out of the script tag. Added safeJsonForScript() that escapes closing script tags in JSON output.

Test plan

• Verify dashboard loads correctly with chart data
• Verify API responses include CORS headers
• Verify static files include Cache-Control headers
• Run bun test to ensure existing tests pass

## Summary - **XSS fix**: Escape JSON data injected into `<script>` tags to prevent XSS via `</script>` breakout in station names (`render.ts`) - **CORS headers**: Add `Access-Control-Allow-Origin: *` to all JSON API responses (`server.ts`) - **Cache headers**: Add `Cache-Control` headers to static files (CSS: 1h, favicon: 24h) (`server.ts`) ## Details Station names from the API are embedded directly into JavaScript via `JSON.stringify()`. A station name containing `</script>` could break out of the script tag. Added `safeJsonForScript()` that escapes closing script tags in JSON output. ## Test plan - [ ] Verify dashboard loads correctly with chart data - [ ] Verify API responses include CORS headers - [ ] Verify static files include Cache-Control headers - [ ] Run `bun test` to ensure existing tests pass

jperera added 1 commit 2026-04-02 19:53:31 +02:00

fix: security hardening - XSS, CORS, and cache headers ... f21c44b060

- Escape JSON data injected into <script> tags to prevent XSS via
  </script> breakout in station names
- Add Access-Control-Allow-Origin header to all JSON API responses
- Add Cache-Control headers to static files (CSS: 1h, favicon: 24h)

jperera merged commit cee5cf7f93 into main 2026-04-02 20:02:19 +02:00

jperera deleted branch fix/security-hardening 2026-04-02 20:02:19 +02:00

jperera referenced this pull request from a commit 2026-04-02 20:02:19 +02:00

Merge pull request 'fix: security hardening - XSS, CORS, and cache headers' (#1) from fix/security-hardening into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is not working

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

help wanted

Need some help

  

invalid

Something is wrong

  

question

More information is needed

  

wontfix

This won't be fixed

No labels

bug

duplicate

enhancement

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

jperera/gasolineras!1

No description provided.