GHSA-7ww3-xvf5-cxwm: ciguard: Web UI is missing HTTP defence-in-depth headers

May 5, 2026

ciguard’s FastAPI Web UI (src/ciguard/web/app.py) does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy (Medium), X-Frame-Options (Medium), Sub-Resource-Integrity on /api/docs (Medium), COOP / COEP / CORP (Low), Permissions-Policy (Low), X-Content-Type-Options (Low).

References

github.com/Jo-Jo98/ciguard
github.com/Jo-Jo98/ciguard/releases/tag/v0.8.2
github.com/Jo-Jo98/ciguard/releases/tag/v0.8.3
github.com/Jo-Jo98/ciguard/security/advisories/GHSA-7ww3-xvf5-cxwm
github.com/advisories/GHSA-7ww3-xvf5-cxwm

Code Behaviors & Features

Detect and mitigate GHSA-7ww3-xvf5-cxwm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →