From 8bac47b1591cacd407f910e0a11ece9650dbaa2b Mon Sep 17 00:00:00 2001
From: Prince Shakya <princeshakya@Princes-MacBook-Air.local>
Date: Mon, 18 May 2026 23:04:59 +0530
Subject: [PATCH 1/2] fix(security): remove CSRF leak and add CSP headers

Removed the CSRF token from the JSON response of /api/session/status to prevent XSS leakage. Replaced the deprecated X-XSS-Protection header with a modern Content-Security-Policy and Referrer-Policy header. Fixes GenAI-Security-Project/finbot-ctf#503
---
 finbot/core/auth/middleware.py | 10 +++++++++-
 finbot/main.py                 |  1 -
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/finbot/core/auth/middleware.py b/finbot/core/auth/middleware.py
index 5529035f..6761a4f3 100644
--- a/finbot/core/auth/middleware.py
+++ b/finbot/core/auth/middleware.py
@@ -149,7 +149,15 @@ def _add_security_headers(self, response: Response):
         """Add security headers"""
         response.headers["X-Content-Type-Options"] = "nosniff"
         response.headers["X-Frame-Options"] = "DENY"
-        response.headers["X-XSS-Protection"] = "1; mode=block"
+        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
+        response.headers["Content-Security-Policy"] = (
+            "default-src 'self'; "
+            "script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; "
+            "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "
+            "font-src 'self' https://fonts.gstatic.com; "
+            "img-src 'self' data:; "
+            "connect-src 'self';"
+        )
 
 
 # Dependencies for FastAPI routes
diff --git a/finbot/main.py b/finbot/main.py
index 8cd4f1a2..9be717a2 100644
--- a/finbot/main.py
+++ b/finbot/main.py
@@ -230,7 +230,6 @@ async def session_status(
         "is_temporary": session_context.is_temporary,
         "namespace": session_context.namespace,
         "security_status": session_context.get_security_status(),
-        "csrf_token": session_context.csrf_token,
     }
 
 

From 095c94bf92e48ffd588fa76a228d1bfece1c167c Mon Sep 17 00:00:00 2001
From: Prince Shakya <princeshakya@Princes-MacBook-Air.local>
Date: Mon, 18 May 2026 23:47:53 +0530
Subject: [PATCH 2/2] fix(security): expand CSP to allow required CDNs

Added tailwindcss, jsdelivr, gravatar, and websocket protocols to the Content-Security-Policy to ensure the frontend loads correctly without breaking styles or live updates.
---
 finbot/core/auth/middleware.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/finbot/core/auth/middleware.py b/finbot/core/auth/middleware.py
index 6761a4f3..662c0dc8 100644
--- a/finbot/core/auth/middleware.py
+++ b/finbot/core/auth/middleware.py
@@ -152,11 +152,11 @@ def _add_security_headers(self, response: Response):
         response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
         response.headers["Content-Security-Policy"] = (
             "default-src 'self'; "
-            "script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; "
+            "script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://cdn.tailwindcss.com https://cdn.jsdelivr.net; "
             "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "
             "font-src 'self' https://fonts.gstatic.com; "
-            "img-src 'self' data:; "
-            "connect-src 'self';"
+            "img-src 'self' data: https://gravatar.com https://secure.gravatar.com; "
+            "connect-src 'self' ws: wss:;"
         )