No TLS enforcement, no `Strict-Transport-Security` header

[Hag-Zilla]

• Context: Cloud
• Category: Interception
• Severity: High

Evidence

The application has no mechanism to enforce HTTPS. The Docker image listens on port 3000 with plain HTTP:

# Dockerfile
EXPOSE 3000
CMD ["pnpm", "start"]

There is no TLS termination configured at the application level. If the container is placed behind a reverse proxy that does not enforce HTTPS, or if accessed directly on an internal network, all traffic — including Bearer tokens in query strings (see C-02), article content sent to OpenAI, and streamed SSE responses — is transmitted in plaintext.

Since next.config.ts contains no Strict-Transport-Security header, browsers will not enforce HTTPS even on subsequent loads.

Attack scenario (MITM): On a corporate network with TLS inspection enabled, the inspection appliance can read all Bearer tokens in URL query strings and all content sent to external AI services, without the application or user being aware.

Affected files: Dockerfile, next.config.ts