Harden document uploads against XSS and tighten CSP
bmersereau's PR closes three separate security issues at once: stored XSS via malicious uploads, missing Content-Security-Policy headers, and unpatched `@xmldom/xmldom` CVEs. The core fix is magic-byte validation on both upload paths before a file is accepted.
Upload validation checks the actual file signature; the declared extension alone is not trusted. PDF, DOCX, and DOC signatures pass; HTML disguised as a document, empty buffers, short buffers, and unrecognized extensions are all rejected at the helper level. Seven unit tests cover those cases.
Two header changes provide a second layer. The backend applies a restrictive CSP via helmet: default-src 'self', object-src 'none', frame-ancestors 'none'. The Next.js frontend emits matching headers through its headers() export, with unsafe-eval scoped to development only. So even if a hostile payload bypassed upload validation, the browser would refuse to execute or frame it.
The third piece is a dependency pin. An npm override forces @xmldom/xmldom to at least 0.8.13, addressing four high-severity advisories that were open in the upstream codebase.
bmersereau reports backend and frontend build and typecheck both pass. The PR is open against willchen96/mike.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?