Security hardening: HTTP layer, file permissions, XSS, error sanitization

Full codebase security audit with fixes across 12 files:

- Add Host header validation middleware (blocks DNS rebinding)
- Add security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy)
- Add request body size limits (1MB via MaxBytesReader middleware)
- Add HTTP server timeouts (Read: 10s, Write: 30s, Idle: 120s)
- Tighten file permissions to 0700/0600 for dirs/files in ~/.continuity/
- Auto-harden permissions on existing installs at startup
- Fix XSS in ProfilePanel: replace {@html} with safe Svelte text interpolation
- Fix {@html} for static icons in Header component
- Sanitize all error responses: generic messages to clients, full errors to server logs
- Add jsonError() helper to prevent JSON injection via string concatenation
- Cap search limit parameter at 100
- Add io.LimitReader (10MB) on hook stdin parsing
- Apply 10KB truncation to tool_input (matching tool_response)
- Log truncation events with session ID and byte counts
- Remove db_path from /api/health response
- Remove middleware.RealIP (unnecessary, trusts spoofable headers)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lazypower

internal/cli/init.go

@@ -93,10 +93,10 @@ func runInit(cmd *cobra.Command, args []string) error {
 	autostartPath := filepath.Join(homeDir, ".continuity", "autostart")
 
 	if initAutostart {
-		if err := os.MkdirAll(filepath.Dir(autostartPath), 0755); err != nil {
+		if err := os.MkdirAll(filepath.Dir(autostartPath), 0700); err != nil {
 			return fmt.Errorf("create .continuity dir: %w", err)
 		}
-		if err := os.WriteFile(autostartPath, []byte("enabled\n"), 0644); err != nil {
+		if err := os.WriteFile(autostartPath, []byte("enabled\n"), 0600); err != nil {
 			return fmt.Errorf("write autostart marker: %w", err)
 		}
 		fmt.Println("Autostart enabled: continuity serve will launch automatically when needed.")

internal/cli/serve.go

@@ -107,8 +107,12 @@ func runServe(cmd *cobra.Command, args []string) error {
 	addr := cfg.ListenAddr()
 
 	httpServer := &http.Server{
-		Addr:    addr,
-		Handler: srv,
+		Addr:           addr,
+		Handler:        srv,
+		ReadTimeout:    10 * time.Second,
+		WriteTimeout:   30 * time.Second,
+		IdleTimeout:    120 * time.Second,
+		MaxHeaderBytes: 1 << 20, // 1MB
 	}
 
 	// Graceful shutdown

internal/hooks/autostart.go

@@ -56,11 +56,15 @@ func TryAutostart() bool {
 		return false
 	}
 	logPath := filepath.Join(home, ".continuity", "serve.log")
-	logFile, err := os.OpenFile(logPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	logFile, err := os.OpenFile(logPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "continuity: autostart: open log: %v\n", err)
 		return false
 	}
+	// Tighten existing log files from previous installs (0644 → 0600)
+	if info, err := logFile.Stat(); err == nil && info.Mode().Perm()&0077 != 0 {
+		os.Chmod(logPath, 0600)
+	}
 
 	devNull, err := os.Open(os.DevNull)
 	if err != nil {

internal/hooks/handler.go

@@ -6,11 +6,13 @@ import (
 	"io"
 )
 
+const maxHookInputSize = 10 << 20 // 10MB
+
 // Handle reads HookInput from the given reader, dispatches to the appropriate
 // handler based on the event argument, and writes output to stdout.
 func Handle(event string, stdin io.Reader) {
 	var input HookInput
-	if err := json.NewDecoder(stdin).Decode(&input); err != nil {
+	if err := json.NewDecoder(io.LimitReader(stdin, maxHookInputSize)).Decode(&input); err != nil {
 		// Stdin may be empty for some events — degrade gracefully
 		if event == "start" {
 			WriteSessionStartOutput("")

internal/server/middleware.go

@@ -0,0 +1,42 @@
+package server
+
+import (
+	"net"
+	"net/http"
+)
+
+const maxRequestBody = 1 << 20 // 1MB
+
+// localhostOnly rejects requests where the Host header is not localhost.
+// Prevents DNS rebinding attacks against the local API server.
+func localhostOnly(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		host := r.Host
+		if h, _, err := net.SplitHostPort(host); err == nil {
+			host = h
+		}
+		if host != "localhost" && host != "127.0.0.1" && host != "::1" {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+// securityHeaders adds standard security headers to all responses.
+func securityHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("Referrer-Policy", "no-referrer")
+		next.ServeHTTP(w, r)
+	})
+}
+
+// limitRequestBody caps the size of incoming request bodies to prevent OOM.
+func limitRequestBody(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		r.Body = http.MaxBytesReader(w, r.Body, maxRequestBody)
+		next.ServeHTTP(w, r)
+	})
+}

internal/server/routes.go

@@ -3,7 +3,6 @@ package server
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"io"
 	"log"
 	"net/http"
@@ -14,6 +13,14 @@ import (
 	"github.com/lazypower/continuity/internal/engine"
 )
 
+// jsonError writes a JSON error response. All error responses should use this
+// to avoid JSON injection via string concatenation.
+func jsonError(w http.ResponseWriter, msg string, code int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(code)
+	json.NewEncoder(w).Encode(map[string]string{"error": msg})
+}
+
 func (s *Server) handleSessionInit(w http.ResponseWriter, r *http.Request) {
 	var req struct {
 		SessionID string `json:"session_id"`
@@ -30,7 +37,8 @@ func (s *Server) handleSessionInit(w http.ResponseWriter, r *http.Request) {
 
 	sess, err := s.db.InitSession(req.SessionID, req.Project)
 	if err != nil {
-		http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusInternalServerError)
+		log.Printf("init session: %v", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 
@@ -61,7 +69,8 @@ func (s *Server) handleAddObservation(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err := s.db.AddObservation(sessionID, req.ToolName, req.ToolInput, req.ToolResponse); err != nil {
-		http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusInternalServerError)
+		log.Printf("add observation: %v", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 
@@ -79,8 +88,9 @@ func (s *Server) handleCompleteSession(w http.ResponseWriter, r *http.Request) {
 	if err := s.db.CompleteSession(sessionID); err != nil {
 		// Not finding an active session is not a server error — the session
 		// may have already been completed or never existed. Log but return OK.
+		log.Printf("complete session: %v", err)
 		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(map[string]string{"status": "ok", "note": err.Error()})
+		json.NewEncoder(w).Encode(map[string]string{"status": "ok"})
 		return
 	}
 
@@ -92,7 +102,8 @@ func (s *Server) handleEndSession(w http.ResponseWriter, r *http.Request) {
 	sessionID := chi.URLParam(r, "sessionID")
 
 	if err := s.db.EndSession(sessionID); err != nil {
-		http.Error(w, `{"error":"`+err.Error()+`"}`, http.StatusInternalServerError)
+		log.Printf("end session: %v", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 
@@ -180,9 +191,8 @@ func (s *Server) handleSignal(w http.ResponseWriter, r *http.Request) {
 func (s *Server) handleUnmarkEmptyExtractions(w http.ResponseWriter, r *http.Request) {
 	n, err := s.db.UnmarkEmptyExtractions()
 	if err != nil {
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
+		log.Printf("unmark empty extractions: %v", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 
@@ -204,15 +214,12 @@ func (s *Server) handleGetMemory(w http.ResponseWriter, r *http.Request) {
 
 	node, err := s.db.GetNodeByURI(uri)
 	if err != nil {
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
+		log.Printf("get memory: %v", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 	if node == nil {
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(http.StatusNotFound)
-		json.NewEncoder(w).Encode(map[string]string{"error": "memory not found: " + uri})
+		jsonError(w, "memory not found", http.StatusNotFound)
 		return
 	}
 
@@ -268,9 +275,8 @@ func (s *Server) handleRemember(w http.ResponseWriter, r *http.Request) {
 		SessionID: req.SessionID,
 	})
 	if err != nil {
-		w.Header().Set("Content-Type", "application/json")
-		w.WriteHeader(http.StatusBadRequest)
-		json.NewEncoder(w).Encode(map[string]string{"error": err.Error()})
+		log.Printf("remember: %v", err)
+		jsonError(w, "failed to store memory", http.StatusBadRequest)
 		return
 	}
 
@@ -304,6 +310,9 @@ func (s *Server) handleSearch(w http.ResponseWriter, r *http.Request) {
 			limit = n
 		}
 	}
+	if limit > 100 {
+		limit = 100
+	}
 
 	category := r.URL.Query().Get("category")
 
@@ -333,7 +342,8 @@ func (s *Server) handleSearch(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if err != nil {
-		http.Error(w, fmt.Sprintf(`{"error":"%s"}`, err.Error()), http.StatusInternalServerError)
+		log.Printf("search: %v", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 
@@ -384,7 +394,8 @@ func (s *Server) handleTimeline(w http.ResponseWriter, r *http.Request) {
 
 	sessions, err := s.db.GetSessionsSince(sinceMs)
 	if err != nil {
-		http.Error(w, fmt.Sprintf(`{"error":"%s"}`, err.Error()), http.StatusInternalServerError)
+		log.Printf("timeline: %v", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 
@@ -415,7 +426,8 @@ func (s *Server) handleTimeline(w http.ResponseWriter, r *http.Request) {
 func (s *Server) handleProfile(w http.ResponseWriter, r *http.Request) {
 	relProfile, err := s.db.GetNodeByURI("mem://user/profile/communication")
 	if err != nil {
-		http.Error(w, fmt.Sprintf(`{"error":"%s"}`, err.Error()), http.StatusInternalServerError)
+		log.Printf("profile: %v", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 
@@ -476,7 +488,8 @@ func (s *Server) handleTree(w http.ResponseWriter, r *http.Request) {
 		// List roots
 		roots, err := s.db.ListRoots()
 		if err != nil {
-			http.Error(w, fmt.Sprintf(`{"error":"%s"}`, err.Error()), http.StatusInternalServerError)
+			log.Printf("tree roots: %v", err)
+			jsonError(w, "internal error", http.StatusInternalServerError)
 			return
 		}
 		for _, r := range roots {
@@ -492,7 +505,8 @@ func (s *Server) handleTree(w http.ResponseWriter, r *http.Request) {
 		// List children
 		children, err := s.db.GetChildren(uri)
 		if err != nil {
-			http.Error(w, fmt.Sprintf(`{"error":"%s"}`, err.Error()), http.StatusInternalServerError)
+			log.Printf("tree children: %v", err)
+			jsonError(w, "internal error", http.StatusInternalServerError)
 			return
 		}
 		for _, c := range children {