Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
accc734
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 10, 2026
362e640
Merge branch 'OWASP:main' into zap-fixes
nios-x Jan 10, 2026
94cdac5
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 10, 2026
11905d7
Merge branch 'OWASP:main' into zap-fixes
nios-x Jan 10, 2026
efa2199
Merge branch 'main' into zap-fixes
nios-x Jan 11, 2026
73e0db9
Merge branch 'OWASP:main' into zap-fixes
nios-x Jan 11, 2026
7d024b0
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
c6b8260
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
5224936
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
6e21f40
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
406ab2a
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
177b75a
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
b3108fa
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
1f663d8
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
6ec7149
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
c445bb5
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
edafea8
Suppress non-actionable ZAP baseline warnings for Next.js SPA
nios-x Jan 11, 2026
db9b5a4
Merge branch 'main' into zap-fixes
nios-x Jan 12, 2026
bdb38ad
Merge branch 'main' into zap-fixes
nios-x Jan 12, 2026
9ef8ef4
Merge branch 'main' into zap-fixes
nios-x Jan 13, 2026
0f0ecbe
Merge branch 'OWASP:main' into zap-fixes
nios-x Jan 13, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions .zapconfig
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
# ============================
# ZAP Baseline Scan Suppressions
# Purpose: Ignore non-actionable or framework/browser-controlled warnings.
# Only real vulnerabilities will fail CI.
# ============================

# Rule description: comment.
# rule_id<TAB>ACTION<TAB>(URL regex pattern)

Expand All @@ -6,3 +12,29 @@

# PII disclosure: false positive credicard number.
10062 IGNORE https://nest.owasp.(dev|org)/sitemap.xml

# Sub Resource Integrity Attribute Missing: Next.js internal chunks do not support SRI
90003 IGNORE https://nest.owasp.(dev|org)/_next/static/chunks/[a-f0-9]{16}.js

# Sec-Fetch-Dest Header Missing: browser-controlled, cannot enforce server-side
90005 IGNORE https://nest.owasp.(dev|org)/.*

# Base64 Disclosure: false positives due to Next.js hydration / CSS inlined assets
10094 IGNORE https://nest.owasp.(dev|org)/_next/static/chunks/[a-f0-9]{16}.js

# Non-Storable Content: informational only, not a vulnerability
10049 IGNORE https://nest.owasp.(dev|org)/.*

# Re-examine Cache-Control Directives: informational for SPA / framework-managed caching
10015 IGNORE https://nest.owasp.(dev|org)/.*

# Content-Type Header Missing: harmless on 308 redirects
10019 IGNORE https://nest.owasp.(dev|org)/_next/static/.*

# CSP: Failure to Define Directive with No Fallback
# Advisory-only; CSP is defined at framework/app level
10055 IGNORE https://nest.owasp.(dev|org)/.*

# Session Management Response Identified
# Informational detection; no insecure session behavior observed
10112 IGNORE https://nest.owasp.(dev|org)/csrf/
6 changes: 6 additions & 0 deletions backend/settings/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,12 @@ class Base(Configuration):
SESSION_COOKIE_SAMESITE = "Lax"
SESSION_COOKIE_SECURE = True

# --- CSRF cookie settings (SPA-safe, OWASP compliant) ---
CSRF_COOKIE_SECURE = True
CSRF_COOKIE_SAMESITE = "Strict"
# CSRF_COOKIE_HTTPONLY is intentionally NOT enabled
# Django CSRF cookies must be readable by JS for SPA frameworks

SITE_NAME = "localhost"
SITE_URL = "http://localhost:8000"

Expand Down
2 changes: 2 additions & 0 deletions backend/settings/local.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,5 @@ class Local(Base):
PUBLIC_IP_ADDRESS = values.Value()
SLACK_COMMANDS_ENABLED = True
SLACK_EVENTS_ENABLED = True

CSRF_COOKIE_SAMESITE = "Lax"
1 change: 1 addition & 0 deletions cspell/custom-dict.txt
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ certbot
collectstatic
coraza
corsheaders
credentialless
csrfguard
csrfprotector
csrftoken
Expand Down
21 changes: 21 additions & 0 deletions frontend/next.config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,27 @@ const isLocal = process.env.NEXT_PUBLIC_ENVIRONMENT === 'local'

const nextConfig: NextConfig = {
devIndicators: false,
async headers() {
return [
{
source: '/:path*',
headers: [
{
key: 'Cross-Origin-Opener-Policy',
value: 'same-origin',
},
{
key: 'Cross-Origin-Embedder-Policy',
value: 'credentialless',
},
{
key: 'Cross-Origin-Resource-Policy',
value: 'same-origin',
},
],
},
]
},
images: {
// This is a list of remote patterns that Next.js will use to determine
// if an image is allowed to be loaded from a remote source.
Expand Down