fix(security): address CodeQL XSS alerts #84 and #85

- seo.py: escape spec_id in title for DB-unavailable fallback
- proxy.py: add security headers (X-Content-Type-Options, Referrer-Policy)
- proxy.py: add security comment documenting trusted GCS content model
- test_proxy.py: add test for security headers

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: MarkusNeusinger

api/routers/proxy.py

@@ -158,6 +158,10 @@ async def proxy_html(url: str, origin: str | None = None):
         except httpx.RequestError as e:
             raise HTTPException(status_code=502, detail="Failed to connect to storage") from e
 
+    # Security: Content is fetched from our controlled GCS bucket (pyplots-images),
+    # which only contains HTML generated by our own workflows. The URL validation
+    # above ensures only our bucket is accessible. This is NOT arbitrary user HTML -
+    # it's our own trusted interactive plot output (plotly, bokeh, altair, etc.).
     html_content = response.text
 
     # Generate script with correct target origin
@@ -172,4 +176,8 @@ async def proxy_html(url: str, origin: str | None = None):
         # Fallback: append to end
         html_content += size_script
 
-    return HTMLResponse(content=html_content)
+    # Security headers for defense-in-depth (content is from trusted GCS bucket)
+    return HTMLResponse(
+        content=html_content,
+        headers={"X-Content-Type-Options": "nosniff", "Referrer-Policy": "strict-origin-when-cross-origin"},
+    )

api/routers/seo.py

@@ -127,7 +127,7 @@ async def seo_spec_overview(spec_id: str, db: AsyncSession | None = Depends(opti
         # Fallback when DB unavailable
         return HTMLResponse(
             BOT_HTML_TEMPLATE.format(
-                title=f"{spec_id} | pyplots.ai",
+                title=f"{html.escape(spec_id)} | pyplots.ai",
                 description=DEFAULT_DESCRIPTION,
                 image=DEFAULT_HOME_IMAGE,
                 url=f"https://pyplots.ai/{html.escape(spec_id)}",

tests/unit/api/test_proxy.py

@@ -163,6 +163,27 @@ def test_valid_url_injects_script_before_body(self, mock_client_class, client):
         assert SIZE_REPORTER_SCRIPT.strip() in response.text
         assert response.text.index("<script>") < response.text.index("</body>")
 
+    @patch("api.routers.proxy.httpx.AsyncClient")
+    def test_security_headers_present(self, mock_client_class, client):
+        """Response should include security headers."""
+        mock_response = AsyncMock()
+        mock_response.text = "<html><body><h1>Test</h1></body></html>"
+        mock_response.raise_for_status = lambda: None
+
+        mock_client = AsyncMock()
+        mock_client.get = AsyncMock(return_value=mock_response)
+        mock_client.__aenter__ = AsyncMock(return_value=mock_client)
+        mock_client.__aexit__ = AsyncMock(return_value=None)
+        mock_client_class.return_value = mock_client
+
+        response = client.get(
+            "/proxy/html", params={"url": "https://storage.googleapis.com/pyplots-images/plots/test/plot.html"}
+        )
+
+        assert response.status_code == 200
+        assert response.headers.get("x-content-type-options") == "nosniff"
+        assert response.headers.get("referrer-policy") == "strict-origin-when-cross-origin"
+
     @patch("api.routers.proxy.httpx.AsyncClient")
     def test_valid_url_injects_script_before_html_if_no_body(self, mock_client_class, client):
         """If no </body>, inject before </html>."""