Skip to content

feat: security hardening, a11y fixes, and Playwright e2e tests#18

Merged
tbjers merged 1 commit into
mainfrom
feat/security-fixes
Jun 26, 2026
Merged

feat: security hardening, a11y fixes, and Playwright e2e tests#18
tbjers merged 1 commit into
mainfrom
feat/security-fixes

Conversation

@tbjers

@tbjers tbjers commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Security hardening (Worker backend): add secureHeaders() middleware; fix information disclosure in admin/GitHub error paths; pin Access JWT algorithm to RS256; guard webhook handler errors and validate account.type; reject branch params longer than 255 chars
  • WCAG AA fixes (dashboard): darken --color-muted to pass 4.5:1 on white; switch active tab button to near-black text on blue background; add --color-link variables and apply them to breadcrumb anchors; add dashboard/static/_headers with CSP, X-Frame-Options: DENY, nosniff, and Referrer-Policy
  • Tests: three new Worker integration tests (secure-headers, RS256 algorithm pin, branch validation); Playwright + @axe-core/playwright infrastructure in dashboard/; four WCAG 2.0 AA axe scans (projects listing + detail page × light + dark mode); CI workflow to run Playwright on every dashboard change

Test plan

  • npm test — all 16 Worker integration tests pass (including 3 new ones)
  • npm run test:e2e (in dashboard/) — all 4 Playwright/axe tests pass in both light and dark mode
  • /security-review — no vulnerabilities found; all changes confirmed as improvements
  • Verify dashboard/static/_headers is present in dashboard/build/ after npm run build in dashboard
  • Smoke-check /api/health response headers after deploy (X-Content-Type-Options: nosniff should appear)

🤖 Generated with Claude Code

Worker backend:
- Add hono/secure-headers middleware to all API responses
- Fix information disclosure in admin resync and github token error paths
- Pin Cloudflare Access JWT algorithm to RS256 before JWKS lookup
- Wrap webhook handler dispatch in try-catch; add account.type runtime guard
- Validate branch param length (>255 → 400) in metrics and baseline routes

Dashboard frontend:
- Add static/_headers with CSP, X-Frame-Options: DENY, nosniff, Referrer-Policy
- Fix WCAG AA color contrast: --color-muted darkened to #475569 (6.8:1 on white)
- Fix WCAG AA color contrast: active metric tab text changed to near-black #0f172a
- Add --color-link variables for accessible text link colors in both themes
- Use --color-link on breadcrumb anchor (was --color-accent, failed AA)

Tests:
- Add three Worker integration tests: secure-headers, RS256 algorithm pin, branch validation
- Add Playwright + @axe-core/playwright infrastructure in dashboard/
- Add 4 WCAG 2.0 AA axe tests: projects listing and detail page × light and dark mode
- Add .github/workflows/ci.yml to run Playwright tests on dashboard changes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tbjers tbjers merged commit 57b7c86 into main Jun 26, 2026
5 checks passed
@tbjers tbjers deleted the feat/security-fixes branch June 26, 2026 02:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant