Skip to content

fix(security): remove cookie-based API key auth and add security headers (CWE-522, CWE-200, CWE-693)#245

Open
nobugpal wants to merge 2 commits into
Anil-matcha:mainfrom
nobugpal:fix/ogai-002-api-key-security
Open

fix(security): remove cookie-based API key auth and add security headers (CWE-522, CWE-200, CWE-693)#245
nobugpal wants to merge 2 commits into
Anil-matcha:mainfrom
nobugpal:fix/ogai-002-api-key-security

Conversation

@nobugpal

Copy link
Copy Markdown

🚨 User API Credentials Fully Exposed — 7 Route Handlers Read Cookie-Backed Keys Without HttpOnly

Vulnerability 1: API Key Cookie Without HttpOnly Flag (CWE-522)

The muapi_key authentication credential is stored in a cookie without HttpOnly, Secure, or SameSite flags. Seven server-side API route handlers read this cookie and forward the credential to api.muapi.ai as the x-api-key header — the ONLY authentication mechanism in the application.

Attack Chain: XSS / content injection → document.cookie → API key stolen → full api.muapi.ai access (image/video generation, account balance, quota consumption on victim's behalf)

Additional exposure: packages/studio/src/components/DesignAgentStudio.jsx:13 also stores the same key as localStorage.setItem("token", apiKey) — a second plaintext storage location.

Vulnerability 2: API Key Leaked in Server Logs (CWE-200)

Every API proxy route logs the first 8 characters of the API key:

console.log(`[proxy] ${targetUrl} | apiKey: ${apiKey.slice(0,8)}...`);

Credentials persisted in server logs — a PCI/SSDLC violation. Even truncated keys reduce brute-force search space.

Vulnerability 3: Missing Security Headers (CWE-693)

All HTTP responses lack critical security headers:

Missing Header Risk
Content-Security-Policy XSS payloads execute freely, no script source restrictions
X-Content-Type-Options: nosniff MIME sniffing attacks possible
X-Frame-Options: DENY Clickjacking unprotected
X-XSS-Protection Legacy XSS filter disabled
Strict-Transport-Security No HTTPS enforcement

Fix Summary (7 files, +52/-43 lines)

Fix Files Changed Detail
✅ Cookie-based auth removed 6 API route files Only x-api-key header is now accepted; cookie ignored
✅ Credential logging removed 3 API route files All console.log with apiKey removed
Content-Security-Policy added middleware.js default-src 'self' with secure overrides for images/media/fonts
X-Content-Type-Options: nosniff middleware.js Prevents MIME type confusion
X-Frame-Options: DENY middleware.js Clickjacking prevention
X-XSS-Protection: 1; mode=block middleware.js Browser XSS filter enabled
Referrer-Policy: strict-origin-when-cross-origin middleware.js Prevents referrer leakage
✅ Middleware expanded to cover ALL routes middleware.js Security headers now on pages AND API responses

Dynamic Test Results

All tests validated against the running Next.js dev server:

✅ Content-Security-Policy header present on page routes
✅ X-Content-Type-Options: nosniff header present
✅ X-Frame-Options: DENY header present
✅ X-XSS-Protection: 1; mode=block header present
✅ Referrer-Policy header present
✅ Cookie no longer forwarded by API proxy (verified with curl)
✅ x-api-key header authentication still functions correctly
✅ Application pages render normally (CSP does not break functionality)

For Maintainers

API consumers should send the API key via the x-api-key header. The frontend code at src/lib/muapi.js:10 already does this (localStorage.getItem('muapi_key') sent as header) — no frontend changes required. The cookie fallback has been removed.

References

Co-Authored-By: Claude noreply@anthropic.com

wyytjh and others added 2 commits June 28, 2026 10:59
CWE-522: Removed reading muapi_key from cookie in all API route handlers.
Cookies without HttpOnly flag can be stolen by XSS. Frontend now must
send x-api-key header explicitly.

CWE-200: Removed all console.log calls that leaked API key (even truncated).

CWE-693: Added security headers to all responses:
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 1; mode=block
- Referrer-Policy: strict-origin-when-cross-origin
- Content-Security-Policy (restrict script/image/connect sources)

Files changed:
- middleware.js: added security headers
- workflow/route.js: removed cookie auth + key logging
- agents/route.js: removed cookie auth + key logging
- app/route.js: removed cookie auth
- creative-agent/route.js: removed cookie auth + key logging
- get_upload_url/route.js: removed cookie auth
- api/v1/route.js: removed cookie auth

Co-Authored-By: Claude <noreply@anthropic.com>
…logging

- Expand middleware matcher to cover all page and API routes
- Add security headers to API rewrite responses as well
- Remove remaining PATCH/DELETE credential logging in creative-agent route

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant