Andrew Sheehan asheehan

## security-audit.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                asheehan
                / security-audit.md
            
            
              Created
              March 8, 2026 04:32
            
              
                Moonshot Clinic — Security Audit Progress
              
          
    Moonshot Clinic — Security Audit Progress

Completed Fixes (merged to dev)


#
Issue
Details


8
Vulnerable dependency (fast-xml-parser)
High-severity DoS vulnerability in fast-xml-parser (transitive dep via AWS SDK). Pinned to ^5.4.2 via npm overrides.


21
No input validation
No input validation on any endpoint — raw user input flowed straight to DB queries. Added validation framework with UUID, email, length, enum checks on 4 critical endpoints (login, booking, billing, portal auth).


23
Session tokens exposed to XSS
Session tokens stored in localStorage — any XSS could steal them. Migrated to httpOnly/Secure/SameSite=Strict cookies so JavaScript can't access tokens at all.


24
No Content Security Policy
No Content-Security-Policy headers anywhere. Added CSP to both API responses and Amplify static HTML pages with allowlists for Stripe, Google Fonts, S3, and jsdelivr CDN.


## gist:727fdf3bd6d76ea7313341de8cc50e59
# Weno E-Prescribing Encryption: IV Clarification Needed

Hi Tom,

We're doing a security review of our Weno integration and have a question about the AES-256-CBC encryption used for the patient payload in the iframe URL.

## Current Implementation

Our integration encrypts the JSON payload like this:

## distancer.ex
defmodule Distancer do
  @moduledoc false

  @url "http://www.mapquestapi.com/directions/v2/routematrix"
  @headers []
  @params [{"key", Application.fetch_env!(:distancer, :mapquest_api_key)}]

  NimbleCSV.define(MyParser, separator: ",", escape: "\"")

  @doc """
#	Issue	Details
8	Vulnerable dependency (fast-xml-parser)	High-severity DoS vulnerability in `fast-xml-parser` (transitive dep via AWS SDK). Pinned to `^5.4.2` via npm overrides.
21	No input validation	No input validation on any endpoint — raw user input flowed straight to DB queries. Added validation framework with UUID, email, length, enum checks on 4 critical endpoints (login, booking, billing, portal auth).
23	Session tokens exposed to XSS	Session tokens stored in `localStorage` — any XSS could steal them. Migrated to httpOnly/Secure/SameSite=Strict cookies so JavaScript can't access tokens at all.
24	No Content Security Policy	No Content-Security-Policy headers anywhere. Added CSP to both API responses and Amplify static HTML pages with allowlists for Stripe, Google Fonts, S3, and jsdelivr CDN.
	# Weno E-Prescribing Encryption: IV Clarification Needed

	Hi Tom,

	We're doing a security review of our Weno integration and have a question about the AES-256-CBC encryption used for the patient payload in the iframe URL.

	## Current Implementation

	Our integration encrypts the JSON payload like this:
	defmodule Distancer do
	@moduledoc false

	@url "http://www.mapquestapi.com/directions/v2/routematrix"
	@headers []
	@params [{"key", Application.fetch_env!(:distancer, :mapquest_api_key)}]

	NimbleCSV.define(MyParser, separator: ",", escape: "\"")

	@doc """