Summary
Two security improvements identified during review of #124:
1. Credential attributes captured into behavioral logs
packageLogs.ts buildAttrs() captures all data-* attributes from DOM elements into log payloads. The attributeBlackList only excludes "style". This means data-api-key (new in #124) and data-auth (existing) can leak into behavioral logs when users interact near those elements.
File: products/userale/packages/flagon-userale/src/packageLogs.ts (~line 427)
const attributeBlackList = ["style"];
// All other data-* attributes are captured, including credentials
Fix: Add "data-api-key" and "data-auth" to attributeBlackList. Consider a more robust approach — a sensitiveAttributePattern that strips any attribute matching /^data-(api-key|auth|token|secret|password)/i.
2. No warning when credentials sent over plaintext HTTP
When apiKey or authHeader is configured, UserALE.js will happily send credentials over http:// with no warning. The default URL is http://localhost:8000.
Fix: When credentials are configured and the URL protocol is http: (and the hostname is NOT localhost/127.0.0.1), emit a console.warn:
if ((config.apiKey || config.authHeader) && url.protocol === "http:" && !["localhost", "127.0.0.1"].includes(url.hostname)) {
console.warn("[UserALE] Sending credentials over plaintext HTTP. Use HTTPS in production.");
}
Context
Both findings surfaced during security review of #124. The attribute leakage is pre-existing (affects data-auth since before #124). The HTTPS warning is a new recommendation.
Priority
P1 — should be addressed before any regulated-industry deployment (fintech, healthcare, government).
Summary
Two security improvements identified during review of #124:
1. Credential attributes captured into behavioral logs
packageLogs.tsbuildAttrs()captures alldata-*attributes from DOM elements into log payloads. TheattributeBlackListonly excludes"style". This meansdata-api-key(new in #124) anddata-auth(existing) can leak into behavioral logs when users interact near those elements.File:
products/userale/packages/flagon-userale/src/packageLogs.ts(~line 427)Fix: Add
"data-api-key"and"data-auth"toattributeBlackList. Consider a more robust approach — asensitiveAttributePatternthat strips any attribute matching/^data-(api-key|auth|token|secret|password)/i.2. No warning when credentials sent over plaintext HTTP
When
apiKeyorauthHeaderis configured, UserALE.js will happily send credentials overhttp://with no warning. The default URL ishttp://localhost:8000.Fix: When credentials are configured and the URL protocol is
http:(and the hostname is NOTlocalhost/127.0.0.1), emit aconsole.warn:Context
Both findings surfaced during security review of #124. The attribute leakage is pre-existing (affects
data-authsince before #124). The HTTPS warning is a new recommendation.Priority
P1 — should be addressed before any regulated-industry deployment (fintech, healthcare, government).