Summary
The Helmet middleware is registered with contentSecurityPolicy: false, disabling CSP entirely. Without CSP, any XSS that reaches the browser has no second line of defence.
Affected File
Vulnerable Code
api.register(helmet, {
contentSecurityPolicy: false, // CSP managed per-deployment
});Recommendation
Enable a baseline CSP. For a JSON API server the policy can be strict since no HTML is served:
api.register(helmet, {
contentSecurityPolicy: {
directives: {
defaultSrc: ["'none'"],
frameAncestors: ["'none'"],
},
},
});If the Swagger UI endpoint (/api/docs) requires relaxed directives, apply a route-level override only for that path.
Severity
Medium — Weakens XSS defence-in-depth; no direct exploitability on a pure API server, but required for baseline hardening.
Found by automated security audit.
Summary
The Helmet middleware is registered with
contentSecurityPolicy: false, disabling CSP entirely. Without CSP, any XSS that reaches the browser has no second line of defence.Affected File
src/api.ts(~line 76–78)Vulnerable Code
Recommendation
Enable a baseline CSP. For a JSON API server the policy can be strict since no HTML is served:
If the Swagger UI endpoint (
/api/docs) requires relaxed directives, apply a route-level override only for that path.Severity
Medium — Weakens XSS defence-in-depth; no direct exploitability on a pure API server, but required for baseline hardening.
Found by automated security audit.