Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS03d3czLXh2ZjUtY3h3bc4ABWN9

Low CVSS: 2.1
Permalink JSON

ciguard: Web UI is missing HTTP defence-in-depth headers

Affected Packages Affected Versions Fixed Versions
pypi:ciguard
PURL: pkg:pypi/ciguard
>= 0.1.0, <= 0.8.1 0.8.2
0 Dependent packages
0 Dependent repositories
2,775 Downloads last month

Affected Version Ranges

All affected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.8.1

All unaffected versions

0.8.2, 0.8.3, 0.9.0, 0.9.1, 0.9.3, 0.9.4, 0.10.0, 0.11.0, 0.11.1, 0.11.2

Summary

ciguard's FastAPI Web UI (src/ciguard/web/app.py) does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy (Medium), X-Frame-Options (Medium), Sub-Resource-Integrity on /api/docs (Medium), COOP / COEP / CORP (Low), Permissions-Policy (Low), X-Content-Type-Options (Low).

Threat scenario

For local-only deployment (current intent): minimal — there's no untrusted browser context, no third-party hosting, no auth surface to protect.

For public hosting (PRD Slice 9 GitHub App or hosted dashboard, future): each missing header reduces a defence layer:

  • Missing CSP → injected XSS would have no second-line defence (first-line Jinja autoescape remains intact)
  • Missing X-Frame-Options → clickjacking against any UI button would be possible
  • Missing SRI on jsdelivr-hosted Swagger UI → if jsdelivr were compromised, attacker JS would run in the docs page context

Patch

  • New SecurityHeadersMiddleware at src/ciguard/web/security_headers.py injecting: X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy no-referrer, Permissions-Policy interest-cohort=(), Cross-Origin-Opener-Policy same-origin, Cross-Origin-Resource-Policy same-origin, plus per-path CSP with /api/docs + /api/redoc carve-out for cdn.jsdelivr.net (Swagger UI / ReDoc dependency).
  • COEP intentionally NOT set: would break Swagger UI's cross-origin assets, and ciguard makes no SharedArrayBuffer use that would benefit.
  • Registered via app.add_middleware(SecurityHeadersMiddleware).
  • 6 regression tests in tests/test_web.py::TestSecurityHeaders.

Discovery

Found by OWASP ZAP baseline scan during ciguard's first self-conducted pentest cycle, 2026-04-26.

CVSS Scoring

  • CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N — 4.3 (Medium per v3.1 thresholds)
  • CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N — first.org calc 4.3 (Low); GitHub's calc 2.1 (Low). All consistent at Low/borderline.

Verification

$ curl -sI http://127.0.0.1:8080/ | grep -E '^(X-Frame|X-Content|Referrer|Permissions|Cross-Origin|Content-Security):'
# Pre-fix: empty
# Post-fix: 7 headers present

Resources

References:

Identifiers

GHSA-7ww3-xvf5-cxwm

Risk

Severity

Low

CVSS

CVSS Score: 2.1

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

10 days ago

Updated

2 days ago

API

JSON