6 security findings identified and remediated — from credential management to XSS.
A structured security audit of the Intellixer portal and API surface identified six findings across three severity levels. All were remediated in the same sprint.
| ID | Severity | Description | Fix |
|---|---|---|---|
| SEC-001 | HIGH | Credentials hardcoded in Caddyfile and launchd plists | Environment file injection via /etc/intellixer/*.env (root-owned, 0600) |
| SEC-002 | HIGH | Sensitive audit fields stored in plaintext | AES-256-GCM encryption at rest via DB migration + callback update |
| SEC-003 | HIGH | Null pointer dereference in data export | Null guard added at data_export.py:108 |
| SEC-004 | MEDIUM | Session cookies missing HttpOnly flag | HttpOnly + Secure flags set on all session endpoints |
| SEC-005 | MEDIUM | XSS via unescaped user-controlled dashboard values | Data-attribute pattern + event listeners; server-side validation added |
| SEC-006 | LOW | CSRF token not validated on state-changing endpoints | CSRF middleware applied to all POST routes |
The audit followed OWASP Top 10 methodology. No findings remain open.