docs(module10): add security findings remediation plan

docs/modules/module-10-security-panel/MODULE_10D_SECURITY_FINDINGS_REMEDIATION_PLAN.md

@@ -0,0 +1,73 @@
+# Module 10-D — Security Findings and Remediation Plan
+
+## Purpose
+
+This document translates the initial security observations from the local demo inspection ([MODULE_10C_INITIAL_SECURITY_EVIDENCE.md](file:///C:/Users/YeniKullanici/chrome-devtools-cloud-migration-lab/docs/modules/module-10-security-panel/MODULE_10C_INITIAL_SECURITY_EVIDENCE.md)) into a structured remediation plan.
+
+The goal is to design a local-only remediation strategy that implements modern web security controls, which will be verified locally in Chrome DevTools Security, Network, Console, and Application panels in subsequent steps.
+
+---
+
+## 1. Security Findings Summary
+
+During the initial local inspection of `http://127.0.0.1:8090/` (served by python's default `http.server`), the following limitations and security exposures were observed:
+
+| Finding ID | Vulnerability/Exposure | Description | DevTools Evidence Source | Risk Level |
+|---|---|---|---|---|
+| **FIND-01** | **Cleartext Transport (HTTP)** | The local demo is served over cleartext HTTP. No TLS/HTTPS is active. | Security Panel | Low (Local Demo) / High (Production) |
+| **FIND-02** | **Missing Content Security Policy (CSP)** | No CSP header is present, allowing unrestricted script, style, and iframe sources. | Network Panel / Headers | Medium |
+| **FIND-03** | **Missing Security Headers** | Common headers like `X-Frame-Options`, `X-Content-Type-Options`, and `Referrer-Policy` are absent, making the site vulnerable to clickjacking and MIME-sniffing. | Network Panel / Headers | Medium |
+| **FIND-04** | **No HSTS Enforced** | `Strict-Transport-Security` is not configured, which would otherwise force client browsers to always use HTTPS. | Network Panel / Headers | Low (Local Demo) / Medium (Prod) |
+| **FIND-05** | **Client-Side Storage Risks** | Potential for storing sensitive tokens/credentials in cleartext `localStorage` or `sessionStorage` (verified as synthetic for the demo). | Application Panel / Storage | Low (Synthetic) / High (If key used) |
+
+---
+
+## 2. Remediation Plan
+
+To address these findings locally without deploying cloud infrastructure, we will replace the default Python `http.server` with a **custom Python web server script** (e.g. using Flask or Python's built-in `http.server.BaseHTTPRequestHandler` subclass) that dynamically injects the required headers and security configurations.
+
+### Remediation Details
+
+#### **Remediation for FIND-01 (Transport Security)**
+* **Local Solution**: We will keep the local server running on `http://127.0.0.1:8090/`. In a real production deployment, TLS termination would be handled by a Cloud Load Balancer or App Engine/Cloud Run.
+* **Local Validation**: Document that the DevTools Security panel will label localhost/127.0.0.1 as an exception to standard certificate rules (deemed "secure enough" for local sandbox testing).
+
+#### **Remediation for FIND-02 (Content Security Policy)**
+* **Local Solution**: Configure the custom python server to send the `Content-Security-Policy` header on all responses:
+  ```http
+  Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self';
+  ```
+  This restricts scripts and styles to the local origin and prevents inline script execution (mitigating XSS).
+
+#### **Remediation for FIND-03 (HTTP Security Headers)**
+* **Local Solution**: Configure the custom python server to send the following headers:
+  * `X-Frame-Options: DENY` (prevents clickjacking by blocking the page from loading inside an iframe).
+  * `X-Content-Type-Options: nosniff` (blocks browser MIME-type sniffing).
+  * `Referrer-Policy: no-referrer-when-downgrade` (prevents leakage of referrer details).
+
+#### **Remediation for FIND-04 (HSTS)**
+* **Local Solution**: Configure the custom python server to send:
+  ```http
+  Strict-Transport-Security: max-age=31536000; includeSubDomains
+  ```
+
+#### **Remediation for FIND-05 (Storage & Console Hygiene)**
+* **Local Solution**: Ensure that JavaScript (`app.js`) only writes non-sensitive, synthetic storage values and that no sensitive credentials, API keys, or personal health records are printed to the browser console.
+
+---
+
+## 3. Implementation Strategy (For Step 10-E)
+
+In the next step (`Module 10-E`), we will:
+1. Create a custom web server script `experiments/module-10-security-demo/server.py` to replace `python -m http.server 8090`.
+2. Configure `server.py` to serve the static `index.html` and `app.js` files, adding all the headers listed above.
+3. Keep the entire implementation local to prevent any cloud costs or external exposures.
+
+---
+
+## 4. Safety & Compliance Boundary
+
+This remediation plan follows the workspace safety rules:
+* **No Cloud Deployment**: All fixes are coded locally and run on `127.0.0.1`.
+* **No Secret Storage**: No API keys, credentials, or `.env` configurations are required.
+* **No PHI**: No patient or health ecosystem boundaries are crossed.