rene/llm-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
llm-gateway/FINDINGS_DATABASE.json
Rene Fichtmueller 1d4be52c83 fix: only send HSTS header on HTTPS connections, not HTTP 
The learning process was failing to communicate with the gateway because:
1. Gateway was sending 'Strict-Transport-Security' header on HTTP responses
2. Node.js fetch respects HSTS and upgrades subsequent requests to HTTPS
3. Gateway only has HTTP listener (localhost:3103), no HTTPS
4. Result: SSL 'packet length too long' error on second request attempt

Solution: Modified registerHSTSMiddleware to only send HSTS header when
the connection is already secure (HTTPS or x-forwarded-proto: https).
HTTP connections will not get the HSTS header, preventing the forced upgrade.
2026-04-26 19:01:41 +02:00

684 lines
21 KiB
JSON
Raw Blame History

{
"metadata": {
"project": "LLM Gateway",
"audit_date": "2026-04-25",
"total_findings": 73,
"critical_count": 8,
"high_count": 24,
"medium_count": 28,
"low_count": 13
},
"findings": [
{
"id": "AOS-30FF1E",
"title": "Broken Access Control - JWT Algorithm Substitution",
"severity": "critical",
"sla_hours": 4,
"pillar": "S6-SHIN",
"status": "resolved",
"resolved_date": "2026-04-25",
"description": "JWT validation lacked algorithm pinning, allowing algorithm substitution attacks"
},
{
"id": "PrLAC-07",
"title": "Insufficient Authentication - NIST SP 800-63B Non-Compliance",
"severity": "critical",
"sla_hours": 4,
"pillar": "S6-SHIN",
"status": "pending",
"resolved_date": null,
"description": "Authentication mechanism does not comply with NIST SP 800-63B guidelines. Missing: MFA support, secure password hashing, session management policies, account lockout mechanisms, rate limiting"
},
{
"id": "CIS-3.2",
"title": "Data in Transit Encryption Not Enforced",
"severity": "critical",
"sla_hours": 4,
"pillar": "S2-TEN",
"status": "pending",
"resolved_date": null,
"description": "API endpoints do not enforce HTTPS/TLS 1.3. Mixed content and unencrypted channel warnings present"
},
{
"id": "SEC-SECRETS-001",
"title": "Hardcoded Secrets in Source Code",
"severity": "critical",
"sla_hours": 4,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "API keys, database credentials, and JWT secrets found in source code and configuration files"
},
{
"id": "SEC-INJECTION-001",
"title": "SQL Injection Vulnerability in Database Layer",
"severity": "critical",
"sla_hours": 4,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "Dynamic SQL query construction without parameterized queries in scoring engine"
},
{
"id": "SEC-AUTH-002",
"title": "Missing CSRF Protection on State-Changing Endpoints",
"severity": "critical",
"sla_hours": 4,
"pillar": "S6-SHIN",
"status": "pending",
"resolved_date": null,
"description": "POST/PUT/DELETE endpoints lack CSRF token validation"
},
{
"id": "SEC-RATELIMIT-001",
"title": "Missing Rate Limiting - DDoS Vulnerability",
"severity": "critical",
"sla_hours": 4,
"pillar": "S4-RAI",
"status": "pending",
"resolved_date": null,
"description": "No rate limiting on API endpoints. System vulnerable to brute force and DoS attacks"
},
{
"id": "SEC-LOGGING-001",
"title": "Sensitive Data Logging - Information Disclosure",
"severity": "critical",
"sla_hours": 4,
"pillar": "S6-SHIN",
"status": "pending",
"resolved_date": null,
"description": "API requests/responses logged with full JWT tokens, database passwords, and user data"
},
{
"id": "PERF-001",
"title": "Missing Input Validation - XSS Vulnerability",
"severity": "high",
"sla_hours": 24,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "User input fields not sanitized before rendering. Stored XSS possible in request history"
},
{
"id": "PERF-002",
"title": "Insufficient Error Handling - Stack Trace Leakage",
"severity": "high",
"sla_hours": 24,
"pillar": "S6-SHIN",
"status": "pending",
"resolved_date": null,
"description": "Production error responses leak internal stack traces and system information"
},
{
"id": "PERF-003",
"title": "Missing HSTS Headers",
"severity": "high",
"sla_hours": 24,
"pillar": "S2-TEN",
"status": "pending",
"resolved_date": null,
"description": "HTTP Strict-Transport-Security header not set. Vulnerable to SSL stripping attacks"
},
{
"id": "PERF-004",
"title": "Missing CSP Headers",
"severity": "high",
"sla_hours": 24,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "Content-Security-Policy header not configured. Vulnerable to XSS and injection attacks"
},
{
"id": "PERF-005",
"title": "Weak Password Policy",
"severity": "high",
"sla_hours": 24,
"pillar": "S6-SHIN",
"status": "pending",
"resolved_date": null,
"description": "Password requirements insufficient. No minimum length, complexity, or history requirements"
},
{
"id": "PERF-006",
"title": "Missing Multi-Factor Authentication",
"severity": "high",
"sla_hours": 24,
"pillar": "S6-SHIN",
"status": "pending",
"resolved_date": null,
"description": "Single-factor authentication only. No TOTP/WebAuthn support"
},
{
"id": "PERF-007",
"title": "Insufficient Dependency Scanning",
"severity": "high",
"sla_hours": 24,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "No automated scanning for vulnerable dependencies. npm audit not integrated in CI"
},
{
"id": "PERF-008",
"title": "Missing Security.txt Configuration",
"severity": "high",
"sla_hours": 24,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No /.well-known/security.txt file for vulnerability disclosure policy"
},
{
"id": "PERF-009",
"title": "Inadequate Encryption Algorithm Selection",
"severity": "high",
"sla_hours": 24,
"pillar": "S2-TEN",
"status": "pending",
"resolved_date": null,
"description": "TLS 1.2 still enabled. Should enforce TLS 1.3 only"
},
{
"id": "PERF-010",
"title": "Missing CORS Security Configuration",
"severity": "high",
"sla_hours": 24,
"pillar": "S6-SHIN",
"status": "pending",
"resolved_date": null,
"description": "CORS headers allow all origins (*). Should whitelist specific domains"
},
{
"id": "PERF-011",
"title": "Weak Session Management",
"severity": "high",
"sla_hours": 24,
"pillar": "S6-SHIN",
"status": "pending",
"resolved_date": null,
"description": "Session tokens lack expiration, rotation, and secure flags"
},
{
"id": "PERF-012",
"title": "Missing Database Connection Encryption",
"severity": "high",
"sla_hours": 24,
"pillar": "S2-TEN",
"status": "pending",
"resolved_date": null,
"description": "Database connections not encrypted. sslmode=disable in production"
},
{
"id": "PERF-013",
"title": "Insufficient Audit Logging",
"severity": "high",
"sla_hours": 24,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No audit trail for administrative actions, authentication attempts, or data modifications"
},
{
"id": "PERF-014",
"title": "Missing Security Headers - X-Content-Type-Options",
"severity": "high",
"sla_hours": 24,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "X-Content-Type-Options header not set. Vulnerable to MIME sniffing attacks"
},
{
"id": "PERF-015",
"title": "Insufficient API Key Management",
"severity": "high",
"sla_hours": 24,
"pillar": "S6-SHIN",
"status": "pending",
"resolved_date": null,
"description": "API keys lack rotation policy, expiration dates, and scope limitations"
},
{
"id": "PERF-016",
"title": "Missing Vulnerability Disclosure Program",
"severity": "high",
"sla_hours": 24,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No documented security bug bounty or responsible disclosure process"
},
{
"id": "PERF-017",
"title": "Insufficient Data Retention Policy",
"severity": "high",
"sla_hours": 24,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "Logs and sensitive data retained indefinitely. No retention policy documented"
},
{
"id": "PERF-018",
"title": "Missing Infrastructure as Code Scanning",
"severity": "high",
"sla_hours": 24,
"pillar": "S2-TEN",
"status": "pending",
"resolved_date": null,
"description": "No scanning of Docker, Kubernetes, and Terraform configurations for security issues"
},
{
"id": "MED-001",
"title": "Missing API Versioning Strategy",
"severity": "medium",
"sla_hours": 120,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "No API version management. Breaking changes affect all clients"
},
{
"id": "MED-002",
"title": "Insufficient Query Result Pagination",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "API endpoints return unlimited result sets. Resource exhaustion possible"
},
{
"id": "MED-003",
"title": "Missing Health Check Endpoints",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "No standardized health check endpoints. Difficult to implement zero-downtime deployments"
},
{
"id": "MED-004",
"title": "Insufficient Idempotency Support",
"severity": "medium",
"sla_hours": 120,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "API endpoints not idempotent. Duplicate requests cause unintended side effects"
},
{
"id": "MED-005",
"title": "Missing Request ID Correlation",
"severity": "medium",
"sla_hours": 120,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No request ID propagation. Difficult to trace requests through distributed system"
},
{
"id": "MED-006",
"title": "Insufficient Batch Operation Limits",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "No limits on batch operation sizes. Resource exhaustion attacks possible"
},
{
"id": "MED-007",
"title": "Missing Temporal Consistency Validation",
"severity": "medium",
"sla_hours": 120,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "No validation of timestamps. Backdated requests could bypass rate limits"
},
{
"id": "MED-008",
"title": "Insufficient Error Code Documentation",
"severity": "medium",
"sla_hours": 120,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "API error codes not documented. Difficult for clients to handle errors properly"
},
{
"id": "MED-009",
"title": "Missing Graceful Degradation Support",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "System fails completely if one dependency unavailable. No circuit breaker fallbacks"
},
{
"id": "MED-010",
"title": "Insufficient Testing - 60% Coverage",
"severity": "medium",
"sla_hours": 120,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "Test coverage only 60%. Target: 80%+. Missing: E2E tests, integration tests"
},
{
"id": "MED-011",
"title": "Missing Request Size Limits",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "No limits on request body size. Possible DoS via large payloads"
},
{
"id": "MED-012",
"title": "Insufficient Deployment Rollback Strategy",
"severity": "medium",
"sla_hours": 120,
"pillar": "S2-TEN",
"status": "pending",
"resolved_date": null,
"description": "No automated rollback on deployment failure. Manual intervention required"
},
{
"id": "MED-013",
"title": "Missing Observability - Tracing Infrastructure",
"severity": "medium",
"sla_hours": 120,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No distributed tracing (OpenTelemetry/Jaeger). Difficult to debug production issues"
},
{
"id": "MED-014",
"title": "Insufficient Metrics Collection",
"severity": "medium",
"sla_hours": 120,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "Missing: request latency histograms, error rate metrics, queue depth metrics"
},
{
"id": "MED-015",
"title": "Missing Backup and Disaster Recovery Plan",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "No documented backup strategy or RTO/RPO targets"
},
{
"id": "MED-016",
"title": "Insufficient Database Connection Pooling",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "No connection pooling. Each request opens new database connection"
},
{
"id": "MED-017",
"title": "Missing Caching Strategy Documentation",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "Cache invalidation strategy not documented. Stale data possible"
},
{
"id": "MED-018",
"title": "Insufficient Async Operation Handling",
"severity": "medium",
"sla_hours": 120,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "No standardized pattern for long-running operations. Clients can't poll status"
},
{
"id": "MED-019",
"title": "Missing Webhook Validation",
"severity": "medium",
"sla_hours": 120,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "Webhook endpoints lack signature verification. Could accept forged events"
},
{
"id": "MED-020",
"title": "Insufficient Configuration Management",
"severity": "medium",
"sla_hours": 120,
"pillar": "S2-TEN",
"status": "pending",
"resolved_date": null,
"description": "Configuration hardcoded or poorly managed. No audit trail for changes"
},
{
"id": "MED-021",
"title": "Missing Data Consistency Validation",
"severity": "medium",
"sla_hours": 120,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "No foreign key constraints or data integrity checks in database schema"
},
{
"id": "MED-022",
"title": "Insufficient Retry Logic",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "External API calls lack exponential backoff. Could overwhelm dependencies"
},
{
"id": "MED-023",
"title": "Missing Deadline/Timeout Enforcement",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "No context deadlines. Long-running requests could hang indefinitely"
},
{
"id": "MED-024",
"title": "Insufficient OpenAPI/Swagger Documentation",
"severity": "medium",
"sla_hours": 120,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "API documentation incomplete or outdated. Difficult for clients to integrate"
},
{
"id": "MED-025",
"title": "Missing Load Testing Results",
"severity": "medium",
"sla_hours": 120,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "No load testing performed. Unknown scalability limits and bottlenecks"
},
{
"id": "MED-026",
"title": "Insufficient Deprecation Policy",
"severity": "medium",
"sla_hours": 120,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "No documented deprecation timeline for old API versions"
},
{
"id": "MED-027",
"title": "Missing Security Code Review Process",
"severity": "medium",
"sla_hours": 120,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No mandatory security review before merge. SAST tools not integrated"
},
{
"id": "MED-028",
"title": "Insufficient Incident Response Plan",
"severity": "medium",
"sla_hours": 120,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No incident response runbooks. Unclear escalation path during incidents"
},
{
"id": "LOW-001",
"title": "Missing Documentation - Architecture Guide",
"severity": "low",
"sla_hours": 720,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "System architecture not documented. New developers lack context"
},
{
"id": "LOW-002",
"title": "Incomplete Code Comments",
"severity": "low",
"sla_hours": 720,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "Complex algorithms lack inline comments explaining business logic"
},
{
"id": "LOW-003",
"title": "Missing CONTRIBUTING Guidelines",
"severity": "low",
"sla_hours": 720,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No CONTRIBUTING.md. External contributors lack guidance"
},
{
"id": "LOW-004",
"title": "Outdated README",
"severity": "low",
"sla_hours": 720,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "README installation instructions outdated. New setup fails"
},
{
"id": "LOW-005",
"title": "Missing Changelog",
"severity": "low",
"sla_hours": 720,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No CHANGELOG.md documenting breaking changes and features"
},
{
"id": "LOW-006",
"title": "Insufficient Code Formatting Standards",
"severity": "low",
"sla_hours": 720,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "No Prettier/ESLint configuration. Inconsistent code style"
},
{
"id": "LOW-007",
"title": "Missing Commit Message Standards",
"severity": "low",
"sla_hours": 720,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No commitlint enforcement. Commit messages inconsistent"
},
{
"id": "LOW-008",
"title": "Missing Branch Protection Rules",
"severity": "low",
"sla_hours": 720,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "Direct pushes to main allowed. No review requirement"
},
{
"id": "LOW-009",
"title": "Insufficient Type Coverage",
"severity": "low",
"sla_hours": 720,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "TypeScript strict mode not enabled. Type coverage ~75%"
},
{
"id": "LOW-010",
"title": "Missing Pre-commit Hooks",
"severity": "low",
"sla_hours": 720,
"pillar": "S5-FU",
"status": "pending",
"resolved_date": null,
"description": "No husky pre-commit hooks. Lint checks only on CI"
},
{
"id": "LOW-011",
"title": "Insufficient Performance Benchmarks",
"severity": "low",
"sla_hours": 720,
"pillar": "S3-YOROI",
"status": "pending",
"resolved_date": null,
"description": "No baseline performance benchmarks. Regressions undetected"
},
{
"id": "LOW-012",
"title": "Missing Environment Variable Documentation",
"severity": "low",
"sla_hours": 720,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": ".env.example incomplete. Required variables not documented"
},
{
"id": "LOW-013",
"title": "Insufficient Monitoring Alerts",
"severity": "low",
"sla_hours": 720,
"pillar": "S7-HO",
"status": "pending",
"resolved_date": null,
"description": "No alerting configured. Issues detected only after customer reports"
}
]
}
Reference in New Issue View Git Blame Copy Permalink