Skip to content

Add OnTrack security findings documentation#180

Open
sabdosh wants to merge 1 commit into
thoth-tech:mainfrom
sabdosh:feature/security-findings
Open

Add OnTrack security findings documentation#180
sabdosh wants to merge 1 commit into
thoth-tech:mainfrom
sabdosh:feature/security-findings

Conversation

@sabdosh
Copy link
Copy Markdown

@sabdosh sabdosh commented May 15, 2026
edited
Loading

Overview

Adding the Tri 1 2026 Security Findings report for the OnTrack API security assessment.

This document summarises vulnerability remediation and retesting outcomes from the AppAttack 2-Weekly Vulnerability Assessment conducted during Weeks 5–7 (Trimester 3 2025), covering six identified vulnerabilities, their severity levels, remediation actions, and verification results.

Key Updates

Remediated Vulnerabilities

  • Misconfigured CORS policies
  • HTTP request smuggling vulnerabilities
  • Missing HTTP security headers
  • URI credential leakage (CVE-2025-61594)

Retesting

  • Results confirm fixes and validate secure behaviour in production-like environments

Outstanding Issue

  • Unauthenticated access to /api/settings — tracked for future sprint remediation

Security Hardening

  • API responses, headers, and dependency management hardened across the board
  • Clear documentation of testing methodology and verification steps for audit traceability

Impact

Strengthens the overall security posture of the OnTrack API by:

  • Improving request validation
  • Reducing information disclosure risks
  • Enforcing secure HTTP headers
  • Patching vulnerable dependencies

@netlify
Copy link
Copy Markdown

netlify Bot commented May 15, 2026
edited
Loading

Deploy Preview for thoth-tech ready!

Name Link
🔨 Latest commit 4eb1e17
🔍 Latest deploy log https://app.netlify.com/projects/thoth-tech/deploys/6a070c12d4af46000893d3bb
😎 Deploy Preview https://deploy-preview-180--thoth-tech.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

YG-GOV
YG-GOV reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@YG-GOV YG-GOV left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great, nice PR. looks good to merge

@Labiba33
Copy link
Copy Markdown

Labiba33 commented May 16, 2026

Great work on documenting the remediation process and verification results clearly. One suggestion that could improve the report further would be to include a short “Next Steps / Recommendations” section for the outstanding /api/settings issue, outlining possible mitigation approaches or a tentative remediation plan for future sprints. This would make the documentation even stronger from an audit and long-term maintenance perspective.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@YG-GOV YG-GOV YG-GOV left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sabdosh @Labiba33 @YG-GOV