We've completed a comprehensive security audit and fix cycle for Password Palace, addressing critical vulnerabilities across all components.
Browser Extension Security
- >Removed HTTP host permissions - Prevents potential MITM attacks on blockchain RPC calls
- >Auto-clearing sensitive data - Pending passwords now auto-clear after 5 seconds
- >Removed credential logging - Autofill capture no longer logs credentials for debugging
Frontend Security
- >Removed hardcoded secrets - Faucet mnemonic now requires environment variable
- >Secure token storage - OAuth tokens moved from localStorage to sessionStorage (cleared on tab close)
- >Mandatory state validation - OAuth state validation is now required with no fallback bypass
OAuth Service Fixes
- >Session hijacking fix - Palace authentication is now bound to OAuth state
- >Token endpoint hardening - Removed POST body token acceptance in userinfo endpoint
Infrastructure
Over 100 commits this week also addressed Railway deployment, including database connection handling and TLS configuration for the custodial backend.
Legal Documentation
Added comprehensive legal documentation including Terms of Service and Privacy Policy.
These changes significantly improve the security posture ahead of the planned public beta launch.