Skip to content

fix(security): require origin checks and session tokens for render APIs #24

Closed
Closed
fix(security): require origin checks and session tokens for render APIs#24
@ubugeeei

Description

@ubugeeei
ubugeeei
opened on May 18, 2026

Finding

Render mutation APIs such as reset, cancel, progress, audio plan, cache, and websocket state are unauthenticated on a fixed localhost port. Wildcard CORS increases CSRF/state-pollution risk.

Evidence

  • backend/src/main.rs exposes render state mutation endpoints.
  • The server binds 127.0.0.1:3000 with shared CORS handling.

Acceptance criteria

  • Add a per-app-session token or equivalent capability check.
  • Enforce trusted origins.
  • Keep dev ergonomics documented.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions