Skip to content

Security: close remaining Electron security gaps #192

Description

@pcolt

Follows up on #32 (security bullet). The three core isolation settings are already correct (nodeIntegration: false, contextIsolation: true, webSecurity: true), but a few gaps remain.

Gaps

DevTools always open in production

openDevTools() is called unconditionally in electron/main.ts. It should be gated so it only runs in development:

if (!app.isPackaged) mainWindow.webContents.openDevTools()

No Content Security Policy

No CSP header is set via session.defaultSession.webRequest.onHeadersReceived. The Electron security guide lists this as a required step to limit what resources the renderer can load.

JWT token stored in plaintext

access_token is persisted by electron-store as plain JSON. Electron's safeStorage API can encrypt the value at rest using the OS keychain before writing to the store.

No navigation lockdown

There is no will-navigate handler on mainWindow.webContents to block the renderer from being redirected to an arbitrary URL. The guide recommends allowing navigation only to known-safe origins.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions