Follows up on #32 (security bullet). The three core isolation settings are already correct (nodeIntegration: false, contextIsolation: true, webSecurity: true), but a few gaps remain.
Gaps
DevTools always open in production
openDevTools() is called unconditionally in electron/main.ts. It should be gated so it only runs in development:
if (!app.isPackaged) mainWindow.webContents.openDevTools()
No Content Security Policy
No CSP header is set via session.defaultSession.webRequest.onHeadersReceived. The Electron security guide lists this as a required step to limit what resources the renderer can load.
JWT token stored in plaintext
access_token is persisted by electron-store as plain JSON. Electron's safeStorage API can encrypt the value at rest using the OS keychain before writing to the store.
No navigation lockdown
There is no will-navigate handler on mainWindow.webContents to block the renderer from being redirected to an arbitrary URL. The guide recommends allowing navigation only to known-safe origins.
References
Follows up on #32 (security bullet). The three core isolation settings are already correct (
nodeIntegration: false,contextIsolation: true,webSecurity: true), but a few gaps remain.Gaps
DevTools always open in production
openDevTools()is called unconditionally inelectron/main.ts. It should be gated so it only runs in development:No Content Security Policy
No CSP header is set via
session.defaultSession.webRequest.onHeadersReceived. The Electron security guide lists this as a required step to limit what resources the renderer can load.JWT token stored in plaintext
access_tokenis persisted byelectron-storeas plain JSON. Electron'ssafeStorageAPI can encrypt the value at rest using the OS keychain before writing to the store.No navigation lockdown
There is no
will-navigatehandler onmainWindow.webContentsto block the renderer from being redirected to an arbitrary URL. The guide recommends allowing navigation only to known-safe origins.References