fix(security): remove cookie-based API key auth and add security headers (CWE-522, CWE-200, CWE-693)#245
Conversation
CWE-522: Removed reading muapi_key from cookie in all API route handlers. Cookies without HttpOnly flag can be stolen by XSS. Frontend now must send x-api-key header explicitly. CWE-200: Removed all console.log calls that leaked API key (even truncated). CWE-693: Added security headers to all responses: - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - X-XSS-Protection: 1; mode=block - Referrer-Policy: strict-origin-when-cross-origin - Content-Security-Policy (restrict script/image/connect sources) Files changed: - middleware.js: added security headers - workflow/route.js: removed cookie auth + key logging - agents/route.js: removed cookie auth + key logging - app/route.js: removed cookie auth - creative-agent/route.js: removed cookie auth + key logging - get_upload_url/route.js: removed cookie auth - api/v1/route.js: removed cookie auth Co-Authored-By: Claude <noreply@anthropic.com>
…logging - Expand middleware matcher to cover all page and API routes - Add security headers to API rewrite responses as well - Remove remaining PATCH/DELETE credential logging in creative-agent route Co-Authored-By: Claude <noreply@anthropic.com>
…eaders - electron/main.js: enable webSecurity (was disabled, CWE-1021). Verified safe — the renderer loads as file://, and locally-generated media is returned as data URLs, not file:// references, so no functionality depends on the relaxed same-origin policy. - API proxy routes (agents, api/v1, app, v1/creative-agent, v1/get_upload_url, workflow): drop the muapi_key cookie fallback for auth — cookies without HttpOnly can be read via XSS (CWE-522) — and stop logging API key prefixes to server logs (CWE-200). Only the x-api-key header is accepted now. - middleware.js: add CSP, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Referrer-Policy headers to all responses. connect-src allows *.muapi.ai (not just api.muapi.ai) since generated media and model assets are served from cdn.muapi.ai and fetched directly by the renderer (e.g. the download-image/video flows) — scoping it to api.muapi.ai only would have silently broken those. Applies PRs #244 and #245 (both closed unmerged) with the connect-src fix above. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
Applied in 7d12544 with one correction: your CSP's |
🚨 User API Credentials Fully Exposed — 7 Route Handlers Read Cookie-Backed Keys Without HttpOnly
Vulnerability 1: API Key Cookie Without HttpOnly Flag (CWE-522)
The
muapi_keyauthentication credential is stored in a cookie without HttpOnly, Secure, or SameSite flags. Seven server-side API route handlers read this cookie and forward the credential toapi.muapi.aias thex-api-keyheader — the ONLY authentication mechanism in the application.Attack Chain: XSS / content injection →
document.cookie→ API key stolen → fullapi.muapi.aiaccess (image/video generation, account balance, quota consumption on victim's behalf)Additional exposure:
packages/studio/src/components/DesignAgentStudio.jsx:13also stores the same key aslocalStorage.setItem("token", apiKey)— a second plaintext storage location.Vulnerability 2: API Key Leaked in Server Logs (CWE-200)
Every API proxy route logs the first 8 characters of the API key:
Credentials persisted in server logs — a PCI/SSDLC violation. Even truncated keys reduce brute-force search space.
Vulnerability 3: Missing Security Headers (CWE-693)
All HTTP responses lack critical security headers:
Content-Security-PolicyX-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-ProtectionStrict-Transport-SecurityFix Summary (7 files, +52/-43 lines)
x-api-keyheader is now accepted; cookie ignoredconsole.logwith apiKey removedContent-Security-Policyaddedmiddleware.jsdefault-src 'self'with secure overrides for images/media/fontsX-Content-Type-Options: nosniffmiddleware.jsX-Frame-Options: DENYmiddleware.jsX-XSS-Protection: 1; mode=blockmiddleware.jsReferrer-Policy: strict-origin-when-cross-originmiddleware.jsmiddleware.jsDynamic Test Results
All tests validated against the running Next.js dev server:
For Maintainers
API consumers should send the API key via the
x-api-keyheader. The frontend code atsrc/lib/muapi.js:10already does this (localStorage.getItem('muapi_key')sent as header) — no frontend changes required. The cookie fallback has been removed.References
Co-Authored-By: Claude noreply@anthropic.com