Skip to content

Security: Miscellaneous hardening improvements #472

New issue
New issue
Closed
#519
Closed
Security: Miscellaneous hardening improvements#472
#519
Labels
enhancementNew feature or request
@MaxRink

Description

@MaxRink
MaxRink
opened on Feb 28, 2026

Summary

Collection of low-severity security improvements for k8s-breakglass.

Severity: LOW
Category: Security (SEC-003, SEC-004, SEC-005, SEC-006, SEC-007, SEC-008, SEC-015, SEC-017)

Findings

SEC-003 | JWT Issuer Parsed Without Verification for JWKS Routing

JWT iss claim parsed from unverified token for JWKS routing. While standard for multi-IDP, should validate iss matches configured providers before JWKS fetch.

  • File: pkg/api/auth.go:257-270

SEC-004 | JWKS LRU Cache Has No Per-Issuer Rate Limiting

Flood of requests with different kid values could trigger excessive JWKS fetches, DoS-ing the OIDC provider.

  • File: pkg/api/auth.go:86-100
  • Fix: Add per-issuer rate limiting on JWKS fetches.

SEC-005 | No Audience Claim Validation on JWT Tokens

JWT tokens validated for signature and expiry but aud claim not checked. A token for a different service (same IDP) could access breakglass.

  • File: pkg/api/auth.go:300-303
  • Fix: Add configurable aud validation per IDP.

SEC-006 | X-Request-ID Accepted Without Sanitization

X-Request-ID header accepted without length or character validation. Malicious values could affect log parsing.

  • File: pkg/api/api.go:197-203
  • Fix: Validate UUID format, max 64 chars.

SEC-007 | SAR Webhook Endpoint Not Authenticated

/authorize endpoint processes SAR requests without caller authentication. Any network-reachable client can send requests.

  • File: pkg/webhook/controller.go:402-409
  • Fix: Document as design decision. Add NetworkPolicy restricting ingress to API server.

SEC-008 | Build Info Endpoint Exposed Without Authentication

/api/v1/info exposes Go version, build commit without authentication, aiding reconnaissance.

  • File: pkg/api/api.go:315-318
  • Fix: Consider requiring authentication or limiting exposed details.

SEC-015 | IDP Reconnaissance When hardenedIDPHints Disabled

IDP selection hints include provider names and URLs when hardenedIDPHints is disabled.

  • File: pkg/webhook/controller.go:157-176
  • Fix: Enable hardenedIDPHints by default in production.

SEC-017 | Frontend Stores Tokens in localStorage

JWT tokens in localStorage accessible to XSS. Consider httpOnly cookies.

  • File: frontend/src/services/auth.ts:147-158
  • Fix: Consider httpOnly cookies. Ensure robust CSP.

Acceptance Criteria

  • Validate JWT iss against configured IDPs before JWKS fetch
  • Add per-issuer JWKS fetch rate limiting
  • Add configurable audience claim validation
  • Sanitize X-Request-ID header
  • Document SAR endpoint authentication design decision
  • Review build info endpoint exposure
  • Enable hardenedIDPHints by default
  • Evaluate httpOnly cookies for token storage

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions