| name | security-audit |
| description | Use this skill for security reviews of VoxBento code. Covers OWASP Top 10 and VoxBento-specific threat model. |
Skill: Security Audit
Use this skill for security reviews of VoxBento code.
Covers OWASP Top 10 and VoxBento-specific threat model.
Threat Model
| Actor | Capability | Risk |
|---|
| Anonymous user | Reaches public routes (/, /register, /login, /healthz, /ws/captions/*) | Low |
| Authenticated user | Joins events they are assigned to | Low |
| Malicious invite token holder | Uses token for different booth | Mitigated by WS scope check |
| Rogue interpreter | Tries to go live without being active | Mitigated by _resolve_whip_url |
| Admin with access | Full event/user management | Inherently trusted |
| Network attacker | MITM on HTTP connections | Use HTTPS/TLS in production |
Security Checklist
A01 — Broken Access Control
A02 — Cryptographic Failures
A03 — Injection
A05 — Security Misconfiguration
A07 — Identification and Authentication Failures
A10 — Server-Side Request Forgery (SSRF)
Open Redirect Audit
All redirects in portal/routers/ must use safe_redirect(url):
def safe_redirect(url: str, status_code: int) -> RedirectResponse:
url = url.replace('\\', '').strip()
parsed = urlparse(url)
if url and not parsed.netloc and not parsed.scheme and url.startswith('/'):
return RedirectResponse(url=url, status_code=status_code)
return RedirectResponse(url='/', status_code=status_code)
Check next_url / next parameter usage:
grep -rn "next_url\|next=" portal/routers/
Ensure all uses pass through safe_redirect.
Cookie Security Flags
| Cookie | httponly | samesite | secure |
|---|
session_token | ✓ | lax | ✗ (set by reverse proxy TLS) |
user_token | ✓ | lax | ✗ |
admin_token | ✓ | lax | ✗ |
Production hardening: ensure TLS termination at Caddy/nginx level; add Strict-Transport-Security header.
Prompt Injection Detection
VoxBento does not directly pass user input to LLM APIs. Transcription providers receive audio (PCM bytes), not text, from the server. There is no LLM chain in the current implementation.
Security Quick Checks
grep -rn "RedirectResponse(url=" portal/routers/ | grep -v safe_redirect
grep -n "debug" portal/config.py
grep -n "change-me\|secret_key" portal/config.py
grep -rn "<script>" templates/