hai/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-19 19:02:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs: add security rationale for token in /health on localhost

Browse Source 
Explains why this is an accepted risk (no escalation over file-based
token access), CORS protection, and tunnel guard. Prevents future
CSO scans from stripping it without providing an alternative auth path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-05 18:05:05 -07:00
parent 160d83ec1d
commit 35bc7e34b1
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
browse/src/server.ts
View File

@@ -1290,7 +1290,13 @@ async function start() {
}; };
// Sensitive fields only served on localhost (not through tunnel). // Sensitive fields only served on localhost (not through tunnel).
// currentUrl reveals internal URLs, currentMessage reveals user intent. // currentUrl reveals internal URLs, currentMessage reveals user intent.
// token needed by extension to authenticate subsequent requests. //
// SECURITY NOTE (accepted risk): token is served on localhost /health so the
// Chrome extension can authenticate. This is NOT an escalation over baseline:
// any local process can already read the same token from ~/.gstack/.auth.json
// and .gstack/browse.json. Browser CORS blocks cross-origin reads (no
// Access-Control-Allow-Origin header). When tunneled, token is stripped.
// Do not remove this without providing an alternative extension auth path.
if (!tunnelActive) { if (!tunnelActive) {
healthResponse.token = AUTH_TOKEN; healthResponse.token = AUTH_TOKEN;
healthResponse.currentUrl = browserManager.getCurrentUrl(); healthResponse.currentUrl = browserManager.getCurrentUrl();