-
tomas.kracmar released this
2026-04-27 14:58:15 +00:00 | 0 commits to main since this releaseAOC v1.7.14 — Threat Model Remediation
This release addresses all high-severity findings from the internal threat model review (see
THREAT_MODEL_v1.7.13.md).New Security Features
LLM Domain Allowlist
- New config:
LLM_ALLOWED_DOMAINS(e.g.api.openai.com,*.openai.azure.com) - Prevents audit data exfiltration via compromised LLM endpoints
SIEM Webhook SSRF Guard
- New config:
SIEM_ALLOWED_DOMAINS SIEM_WEBHOOK_URLis validated with HTTPS-only, private IP blocking, and domain restrictions
Subresource Integrity (SRI)
- CDN scripts (Alpine.js, MSAL.js) now include
integrityhashes - Browser refuses to execute scripts if CDN content is tampered with
Auth Misconfiguration Warning
- Logs a WARNING at startup if
AUTH_ENABLED=truebut no roles/groups are configured
Azure Key Vault Integration (Optional)
- New config:
AZURE_KEY_VAULT_NAME - Loads
CLIENT_SECRET,LLM_API_KEY,MONGO_URI,WEBHOOK_CLIENT_SECRETfrom Key Vault at startup - Eliminates long-lived secrets from
.envfiles
Previous v1.7.12 Security Fixes (Included)
- CORS credentials leak fixed — wildcard origins no longer get
allow_credentials=truewhen auth is enabled - Security headers added: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
- Rate limiter fails closed on Redis outage (returns 429)
- OpenAPI docs disabled by default (
DOCS_ENABLED=false) - Config auth hides tenant/client IDs when auth is disabled
- Webhook validationToken validated before echo
- Metrics endpoint gated behind IP allowlist
Upgrade Notes
- Pull the new tag:
git fetch origin && git checkout v1.7.14 - Review
.env.examplefor new settings - If using AI features, set
LLM_ALLOWED_DOMAINSto your LLM provider - If using SIEM forwarding, set
SIEM_ALLOWED_DOMAINS - Consider Azure Key Vault for secrets storage
Docker image:
git.cqre.net/cqrenet/aoc-backend:v1.7.14Downloads
- New config: