feat: security hardening, a11y fixes, and Playwright e2e tests#18
Merged
Conversation
Worker backend: - Add hono/secure-headers middleware to all API responses - Fix information disclosure in admin resync and github token error paths - Pin Cloudflare Access JWT algorithm to RS256 before JWKS lookup - Wrap webhook handler dispatch in try-catch; add account.type runtime guard - Validate branch param length (>255 → 400) in metrics and baseline routes Dashboard frontend: - Add static/_headers with CSP, X-Frame-Options: DENY, nosniff, Referrer-Policy - Fix WCAG AA color contrast: --color-muted darkened to #475569 (6.8:1 on white) - Fix WCAG AA color contrast: active metric tab text changed to near-black #0f172a - Add --color-link variables for accessible text link colors in both themes - Use --color-link on breadcrumb anchor (was --color-accent, failed AA) Tests: - Add three Worker integration tests: secure-headers, RS256 algorithm pin, branch validation - Add Playwright + @axe-core/playwright infrastructure in dashboard/ - Add 4 WCAG 2.0 AA axe tests: projects listing and detail page × light and dark mode - Add .github/workflows/ci.yml to run Playwright tests on dashboard changes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
secureHeaders()middleware; fix information disclosure in admin/GitHub error paths; pin Access JWT algorithm to RS256; guard webhook handler errors and validateaccount.type; reject branch params longer than 255 chars--color-mutedto pass 4.5:1 on white; switch active tab button to near-black text on blue background; add--color-linkvariables and apply them to breadcrumb anchors; adddashboard/static/_headerswith CSP,X-Frame-Options: DENY,nosniff, andReferrer-Policy@axe-core/playwrightinfrastructure indashboard/; four WCAG 2.0 AA axe scans (projects listing + detail page × light + dark mode); CI workflow to run Playwright on every dashboard changeTest plan
npm test— all 16 Worker integration tests pass (including 3 new ones)npm run test:e2e(indashboard/) — all 4 Playwright/axe tests pass in both light and dark mode/security-review— no vulnerabilities found; all changes confirmed as improvementsdashboard/static/_headersis present indashboard/build/afternpm run buildin dashboard/api/healthresponse headers after deploy (X-Content-Type-Options: nosniffshould appear)🤖 Generated with Claude Code