letting 5.3 do a security audit...

[bmdavis419]

Greptile Overview

Greptile Summary

This PR implements comprehensive security hardening across the web application based on a security audit by Claude 5.3.

Key Security Improvements

• SSRF Prevention: Added urlSafety.ts module that validates server URLs to prevent Server-Side Request Forgery attacks by blocking private IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16), localhost, and IPv6 private addresses
• XSS Mitigation: Fixed Cross-Site Scripting vulnerabilities in ChatMessages.svelte by escaping HTML in markdown rendering and removing inline onclick handlers
• Timing Attack Protection: Implemented constant-time string comparison for webhook signature verification to prevent timing-based attacks
• Webhook Security: Added timestamp validation for Svix webhooks (5-minute max skew) to prevent replay attacks
• Information Disclosure: Prevented error message leakage in all CLI API endpoints by logging detailed errors server-side while returning generic messages to clients
• Tabnabbing Prevention: Added noopener to all external links to prevent reverse tabnabbing attacks
• Cache Security: Changed cache header from no-cache to no-store for SSE streams and added Cache-Control: no-store with Vary: Authorization for all API routes
• Security Headers: Added baseline security headers via SvelteKit hooks (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy)

No breaking changes to existing functionality were introduced.

Confidence Score: 5/5

• This PR is safe to merge - all changes are security improvements with no breaking functionality changes
• Score reflects well-implemented security hardening measures following industry best practices, with no logic errors or functionality breaks detected
• No files require special attention - all security implementations are sound

Important Files Changed

Filename	Overview
apps/web/src/convex/urlSafety.ts	Added comprehensive URL safety validation to prevent SSRF attacks against private IPs and localhost
apps/web/src/convex/http.ts	Added timing-safe signature comparison, webhook timestamp validation, safer URL construction, and improved cache headers
apps/web/src/hooks.server.ts	Added security headers and API response caching controls via SvelteKit hooks
apps/web/src/lib/components/ChatMessages.svelte	Fixed XSS vulnerabilities by escaping HTML in markdown, removed inline onclick handlers, improved event handling

[bmdavis419]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• letting 5.3 do a security audit... #169 👈 (View in Graphite)
• first pass on web resource #168 : 1 other dependent PR (#170 )
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.