| name | security-review |
| description | Performs security reviews of Hone code using OWASP guidelines. Use when reviewing database queries, CSV import logic, API endpoints, authentication, encryption, or when the user asks about security. |
| allowed-tools | Read, Grep, Glob |
Security Review for Hone
Based on OWASP Top 10 (2021) and modern web security practices.
OWASP Top 10 Relevance to Hone
A01:2021 - Broken Access Control
- Risk: Unauthorized access to other users' financial data
- Hone Context: Currently single-user, but if multi-user is added:
- Implement proper session management
- Validate user owns requested resources
- Use principle of least privilege
A02:2021 - Cryptographic Failures
- Data Classification: Transaction data is sensitive PII
- At Rest: SQLCipher for database encryption (per DESIGN.md)
- In Transit:
- All external connections MUST use TLS/HTTPS
- Ollama connection should use HTTPS if remote
- Hashing: Using SHA-256 for deduplication (appropriate choice)
Database Encryption (Required):
let conn = Connection::open("hone.db")?;
conn.pragma_update(None, "key", &passphrase)?;
use argon2::{Argon2, PasswordHasher};
let salt = SaltString::generate(&mut OsRng);
let argon2 = Argon2::default();
let key = argon2.hash_password(passphrase.as_bytes(), &salt)?;
Implementation Requirements:
- Use
rusqlite with bundled-sqlcipher feature
- Derive encryption key from passphrase using Argon2
- Passphrase provided at startup (env var or prompt)
- Never log or expose the passphrase
Backup Encryption:
- Backups encrypted with
age before upload to Cloudflare R2
- Consider post-quantum algorithms for future-proofing (harvest now, decrypt later threat)
A03:2021 - Injection
- SQL Injection (Critical for hone-core/src/db.rs)
- All queries MUST use parameterized statements
- Never interpolate user input into SQL
conn.execute(
"INSERT INTO transactions (account_id, amount) VALUES (?, ?)",
params![account_id, amount]
)?;
conn.execute(
&format!("SELECT * FROM transactions WHERE merchant = '{}'", merchant),
[]
)?;
- CSV Injection (hone-core/src/import.rs)
- Sanitize fields starting with
=, +, -, @ (Excel formula injection)
- Validate numeric fields are actually numeric
A04:2021 - Insecure Design
- Threat Modeling: Financial data attracts attackers
- Defense in Depth: Multiple layers of validation
- Secure Defaults: Restrictive CORS, minimal permissions
A05:2021 - Security Misconfiguration
- CORS: Restrict to specific origins in production
CorsLayer::permissive()
CorsLayer::new()
.allow_origin("https://your-domain.com".parse::<HeaderValue>().unwrap())
.allow_methods([Method::GET, Method::POST])
- Error Messages: Never expose stack traces or internal paths
- Headers: Set security headers (via tower-http)
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy
A06:2021 - Vulnerable Components
- Run
cargo audit regularly (already set up)
- Keep dependencies updated
- Review transitive dependencies
A07:2021 - Authentication Failures
- Currently N/A (single-user, local)
- If adding auth:
- Use established libraries (not custom)
- Implement rate limiting
- Secure session management
A08:2021 - Data Integrity Failures
- CSV Import: Validate file integrity
- Check file size limits
- Validate expected columns exist
- Reject malformed data gracefully
A09:2021 - Security Logging
- Log security-relevant events:
- Failed authentication attempts (if added)
- Access to sensitive endpoints
- Import operations
- Don't log sensitive data (transaction details, amounts)
A10:2021 - SSRF
- Ollama Integration: Validate URL is localhost/trusted
- Don't allow user-controlled URLs for HTTP requests
Frontend Security (React/TypeScript)
XSS Prevention
- React escapes by default (good)
- Never use
dangerouslySetInnerHTML with user data
- Sanitize data before rendering if from external source
Sensitive Data
- Don't store financial data in localStorage/sessionStorage
- Clear sensitive state on logout
- Use httpOnly cookies for auth tokens (if added)
Content Security Policy
<meta http-equiv="Content-Security-Policy"
content="default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'">
Secrets Management
Never Commit
- API keys, tokens, passwords
- Database credentials
- Private keys
Secure Storage
- Use
.env files (gitignored)
- Environment variables at runtime
- Consider
dotenv crate for Rust
Detection Patterns
# Patterns that indicate hardcoded secrets
api_key\s*[:=]
password\s*[:=]
secret\s*[:=]
token\s*[:=]
-----BEGIN.*PRIVATE KEY-----
Security Review Checklist
Database Layer (db.rs)
Import Layer (import.rs)
API Layer (hone-server)
Frontend (ui/)
Resources