Skip to content

Security: achildrenmile/webrx

Security

SECURITY.md

Security Assessment Report

Date: January 2026 Scope: WebRX Application - Full Stack Review

Executive Summary

A security assessment was conducted on the WebRX application. The application has a low-to-medium risk profile with no critical vulnerabilities identified. Several hardening recommendations have been implemented.

Findings

MEDIUM Risk

1. Missing Security Headers

Status: Fixed Description: The application was missing standard security headers (X-Content-Type-Options, X-Frame-Options, etc.) Remediation: Added helmet middleware for security headers.

2. No Rate Limiting

Status: Fixed Description: API endpoints had no rate limiting, making them vulnerable to abuse. Remediation: Added express-rate-limit middleware with reasonable limits.

LOW Risk

3. Tile Proxy Subdomain Validation

Status: Fixed Description: The tile proxy accepted any subdomain value, though limited to openstreetmap.org. Remediation: Restricted subdomain parameter to valid values (a, b, c).

4. Tile Coordinate Validation

Status: Fixed Description: Tile coordinates (z, x, y) were not validated as integers. Remediation: Added integer validation for tile parameters.

INFORMATIONAL

5. HTML in locations.json

Status: Documented Description: The locations.json file contains HTML markup that is rendered in popups. This is intentional for formatting but should be noted. Risk: If an attacker gains write access to locations.json, XSS is possible. Mitigation: File is admin-controlled and not user-editable.

6. Dependencies

Status: Passed Description: npm audit reports 0 vulnerabilities.

7. Docker Configuration

Status: Passed Description: Container runs as non-root user, uses Alpine base image, production mode enabled.

Security Controls Implemented

  • Security headers via helmet
  • Rate limiting on API endpoints
  • Input validation on tile proxy
  • Non-root Docker container
  • Production environment mode
  • HTTPS via Cloudflare tunnel

Recommendations

  1. Monitor Dependencies: Regularly run npm audit to check for new vulnerabilities
  2. Access Control: Protect locations.json from unauthorized modifications
  3. Logging: Consider adding request logging for security monitoring
  4. Updates: Keep Node.js and dependencies updated

Testing Methodology

  • Static code analysis
  • Dependency vulnerability scanning (npm audit)
  • Configuration review
  • Input validation testing

Conclusion

The WebRX application demonstrates good security practices. The identified issues have been remediated, and the application is suitable for production deployment behind Cloudflare's security layer.

There aren’t any published security advisories