Skip to content

Security enhancements#718

Open
vincenzocaruso wants to merge 10 commits intoAzure:mainfrom
rafarhat:security-enhancements
Open

Security enhancements#718
vincenzocaruso wants to merge 10 commits intoAzure:mainfrom
rafarhat:security-enhancements

Conversation

@vincenzocaruso
Copy link
Member

@vincenzocaruso vincenzocaruso commented Feb 3, 2026
edited
Loading

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Thank you for contributing to the Azure IoT Explorer!

This checklist is used to make sure that common guidelines for a pull request are followed.

General Guidelines

  • If introducing new functionality or modified behavior, are they backed by unit tests?
  • Have all unit tests passed locally? (by running npm run test command)
  • Have you updated the README.md with new screenshots if significant changes have been made?
  • Have you update the package version if the current version in package.json is not higher than the version released?

rafarhat and others added 10 commits January 23, 2026 02:12
@rafarhat
Phase 1: Security quick wins and critical fixes
e6c70b4 
- Add explicit sandbox: true to BrowserWindow webPreferences
- Replace executeJavaScript with IPC for custom port configuration
- Add Helmet.js security headers middleware to Express server
- Add Window type declarations for Electron IPC interfaces
- Create appInitialization utility for secure IPC-based config
- Fix webpack cssnano build configuration
@rafarhat
Phase 2: TLS encryption and token authentication for local API
fdc6f33 
- Add node-forge for self-signed TLS certificate generation
- Create tlsHelper.ts for runtime certificate generation
- Create serverSecure.ts with HTTPS server, token auth, and rate limiting
- Add IPC handlers for auth token, certificate, and fingerprint
- Create secureFetch utility for authenticated API calls
- Update API constants to use HTTPS/WSS in Electron mode
- Update service files to use secureFetch
- Update tests to work with new security layer

Security features:
- Self-signed TLS certificates generated at runtime
- 32-byte random auth token per session
- Token validation middleware on all /api/* routes
- Rate limiting: 100 requests/minute per client
- WebSocket authentication via query parameter
@rafarhat
Phase 3: Credential encryption using Electron safeStorage API
c605235 
- Add encrypted credential storage using Electron's safeStorage API
- Create credentialsHandler.ts with store/get/delete/list functions
- Add IPC handlers for credential operations in electron.ts
- Create credentialStorage.ts utility for connection string encryption
- Update connection string sagas to use encrypted storage
- Implement automatic migration from localStorage to encrypted storage
- Add browser-mode fallback to localStorage when Electron unavailable
- Update tests for new async credential storage patterns

Build: PASSED
Tests: 710/710 passing
@rafarhat
Phase 4: Content Security Policy headers
356be30 
- Add CSP headers via Electron session.webRequest.onHeadersReceived
- Configure strict CSP directives:
  * default-src 'self'
  * script-src allows self and unsafe-inline/eval for dev/Fluent UI
  * connect-src whitelists Azure domains and localhost TLS server
  * frame-ancestors 'none' prevents clickjacking
  * form-action 'self' restricts form submissions
- Import session from electron module

Build: PASSED
Tests: 710/710 passing
@rafarhat
Bug fixes for all security fixes that didn't work needs cleanup
05cb8ee
@rafarhat
Make Credentials Inteface manipulate the encrypted data change tls to…
889f9f9 
… 90 days
@rafarhat
feat: Add conditional security for dev vs production server
8a339b1 
- Add securityEnabled parameter to ServerBase (default: true)
- serverLocal.ts: Disable security for local dev (HTTP, no auth, CORS enabled)
- serverElectron.ts: Enable security for production (HTTPS, TLS, auth tokens)
- Fix apiConstants.ts to correctly detect Electron mode for HTTPS
- Change appConfig.dev.json hostMode from 'debug' to 'browser'
- Add defensive null check for certificate fingerprint in electron.ts

Local dev now runs on http://127.0.0.1:8082 without TLS/auth overhead.
Electron production runs on https://127.0.0.1:8081 with full security.
@rafarhat
feat: Add SSRF protection using request-filtering-agent
842bd56 
- Add request-filtering-agent library for IP-level SSRF protection
- Create urlValidator.ts with strict hostname validation (*.azure-devices.net only)
- Add header sanitization with allowlist (blocks Host, Authorization, X-Forwarded-*)
- Add path and query string validation
- Block HTTP redirects with redirect: 'error'
- Use dynamic import for ESM compatibility with Electron

SSRF protections:
- Blocks private IPs (10.x, 172.16-31.x, 192.168.x)
- Blocks loopback (127.x.x.x, ::1, localhost)
- Blocks link-local (169.254.x.x, fe80::)
- Blocks cloud IMDS (169.254.169.254)
- Blocks DNS rebinding attacks
- Validates hostname is exactly *.azure-devices.net
@rafarhat
security: Update all packages to versions that address high/crit cve …
027eb18 
…supress code ql
@rafarhat
Remove preload no longer required - update package.json
5c67558
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vincenzocaruso @rafarhat