Release v1.7.15: security hardening, async auth, CSP tightening, model validation, SSRF guard, rate limiting improvements, frontend extraction, Docker compose security

backend/main.py

@@ -18,6 +18,7 @@ from config import (
     ENABLE_PERIODIC_FETCH,
     FETCH_INTERVAL_MINUTES,
     METRICS_ALLOWED_IPS,
+    WEBHOOK_CLIENT_SECRET,
 )
 from database import setup_indexes
 from fastapi import FastAPI, HTTPException, Request
@@ -111,7 +112,7 @@ async def security_headers_middleware(request: Request, call_next):
     if request.url.path.startswith("/api/") or request.url.path in ("/", "/index.html"):
         response.headers["Content-Security-Policy"] = (
             "default-src 'self'; "
-            "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net alcdn.msauth.net; "
+            "script-src 'self' cdn.jsdelivr.net alcdn.msauth.net; "
             "style-src 'self' 'unsafe-inline'; "
             "connect-src 'self' https://login.microsoftonline.com; "
             "frame-src 'self' https://login.microsoftonline.com; "
@@ -284,6 +285,12 @@ async def start_periodic_fetch():
             "Any Entra user in the tenant can authenticate and access AOC. "
             "Set AUTH_ALLOWED_ROLES or AUTH_ALLOWED_GROUPS to restrict access."
         )
+    if not WEBHOOK_CLIENT_SECRET:
+        logger.warning(
+            "WEBHOOK_CLIENT_SECRET is not set. Graph webhook notifications will be accepted without "
+            "clientState validation, allowing any HTTP client to spoof Graph notifications. "
+            "Set WEBHOOK_CLIENT_SECRET to the clientState used when creating Graph subscriptions."
+        )
     if ENABLE_PERIODIC_FETCH:
         app.state.fetch_task = asyncio.create_task(_periodic_fetch())