fix(security): remove cookie-based API key auth and add security headers (CWE-522, CWE-200, CWE-693)#245
Open
nobugpal wants to merge 2 commits into
Open
Conversation
CWE-522: Removed reading muapi_key from cookie in all API route handlers. Cookies without HttpOnly flag can be stolen by XSS. Frontend now must send x-api-key header explicitly. CWE-200: Removed all console.log calls that leaked API key (even truncated). CWE-693: Added security headers to all responses: - X-Content-Type-Options: nosniff - X-Frame-Options: DENY - X-XSS-Protection: 1; mode=block - Referrer-Policy: strict-origin-when-cross-origin - Content-Security-Policy (restrict script/image/connect sources) Files changed: - middleware.js: added security headers - workflow/route.js: removed cookie auth + key logging - agents/route.js: removed cookie auth + key logging - app/route.js: removed cookie auth - creative-agent/route.js: removed cookie auth + key logging - get_upload_url/route.js: removed cookie auth - api/v1/route.js: removed cookie auth Co-Authored-By: Claude <noreply@anthropic.com>
…logging - Expand middleware matcher to cover all page and API routes - Add security headers to API rewrite responses as well - Remove remaining PATCH/DELETE credential logging in creative-agent route Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚨 User API Credentials Fully Exposed — 7 Route Handlers Read Cookie-Backed Keys Without HttpOnly
Vulnerability 1: API Key Cookie Without HttpOnly Flag (CWE-522)
The
muapi_keyauthentication credential is stored in a cookie without HttpOnly, Secure, or SameSite flags. Seven server-side API route handlers read this cookie and forward the credential toapi.muapi.aias thex-api-keyheader — the ONLY authentication mechanism in the application.Attack Chain: XSS / content injection →
document.cookie→ API key stolen → fullapi.muapi.aiaccess (image/video generation, account balance, quota consumption on victim's behalf)Additional exposure:
packages/studio/src/components/DesignAgentStudio.jsx:13also stores the same key aslocalStorage.setItem("token", apiKey)— a second plaintext storage location.Vulnerability 2: API Key Leaked in Server Logs (CWE-200)
Every API proxy route logs the first 8 characters of the API key:
Credentials persisted in server logs — a PCI/SSDLC violation. Even truncated keys reduce brute-force search space.
Vulnerability 3: Missing Security Headers (CWE-693)
All HTTP responses lack critical security headers:
Content-Security-PolicyX-Content-Type-Options: nosniffX-Frame-Options: DENYX-XSS-ProtectionStrict-Transport-SecurityFix Summary (7 files, +52/-43 lines)
x-api-keyheader is now accepted; cookie ignoredconsole.logwith apiKey removedContent-Security-Policyaddedmiddleware.jsdefault-src 'self'with secure overrides for images/media/fontsX-Content-Type-Options: nosniffmiddleware.jsX-Frame-Options: DENYmiddleware.jsX-XSS-Protection: 1; mode=blockmiddleware.jsReferrer-Policy: strict-origin-when-cross-originmiddleware.jsmiddleware.jsDynamic Test Results
All tests validated against the running Next.js dev server:
For Maintainers
API consumers should send the API key via the
x-api-keyheader. The frontend code atsrc/lib/muapi.js:10already does this (localStorage.getItem('muapi_key')sent as header) — no frontend changes required. The cookie fallback has been removed.References
Co-Authored-By: Claude noreply@anthropic.com