Skip to content

docs(security): document signed-token guard on video endpoints#8

Merged
m-szymanska merged 2 commits into
mainfrom
docs/security-video-token-guard
Jul 9, 2026
Merged

docs(security): document signed-token guard on video endpoints#8
m-szymanska merged 2 commits into
mainfrom
docs/security-video-token-guard

Conversation

@m-szymanska

Copy link
Copy Markdown
Contributor

What

Documents the signed-token guard on the source-video endpoints (shipped in the quality-hardening wave, PR #7) in SECURITY.md. Docs-only — no code change.

Before this, SECURITY.md described the local-server model only in terms of the /api/* session token and the risk-accepted StaticFiles mount, and said nothing about the /video endpoints now requiring a signed request. This adds that, and sharpens the accepted-risk boundary so the reader sees exactly what is behind the token and what remains an open surface.

Changes

  • New Local server hardening section: /video (and the review server's by-filename twin) require an HMAC-SHA256 st query-parameter signature keyed by the session token, because a <video src> element cannot carry a header; an unsigned GET is rejected with 403. Notes that analyze signs URLs at render time while review signs at serve time, keeping the on-disk report token-free and shareable.
  • Accepted risks (P3-10) reworded: the /api/* routes and the video endpoints sit behind the session token; the StaticFiles mount at / remains deliberately un-guarded (unchanged risk acceptance).

Verification

  • Every claim cross-checked against screenscribe/server_security.py (video_access_token / _video_query_token_ok) and the /video handlers in analyze_server.py / review_server.py.
  • Honest boundary: the doc does not claim the static mount is now guarded — it is not.
  • Single file changed (SECURITY.md); leak/brand scan clean.

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the SECURITY.md file to document local server hardening measures, including DNS-rebinding guards, session token requirements, and HMAC-SHA256 signatures for source-video endpoints. It also updates the accepted risks section to align with these changes. The review feedback suggests minor grammatical and readability improvements to the newly added text.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread SECURITY.md
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@m-szymanska m-szymanska merged commit 43fd31d into main Jul 9, 2026
8 checks passed
@m-szymanska m-szymanska deleted the docs/security-video-token-guard branch July 9, 2026 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant