What
No Referrer-Policy header is set on any board response. ?key= query auth is accepted (server/app.ts:564) and echoed into a cookie.
Impact
Low today: the trusted viewer page is self-contained (no cross-origin subresources) and iframe srcs don't carry ?key=, so practical token-via-Referer leak is currently minimal. The gap opens if a ?key= URL ever lands next to an external resource (e.g. a future embed, a copied link pasted into a third-party site that loads it in a frame).
Fix
Add Referrer-Policy: no-referrer (or same-origin) to board responses.
Severity: Low
What
No
Referrer-Policyheader is set on any board response.?key=query auth is accepted (server/app.ts:564) and echoed into a cookie.Impact
Low today: the trusted viewer page is self-contained (no cross-origin subresources) and iframe srcs don't carry
?key=, so practical token-via-Referer leak is currently minimal. The gap opens if a?key=URL ever lands next to an external resource (e.g. a future embed, a copied link pasted into a third-party site that loads it in a frame).Fix
Add
Referrer-Policy: no-referrer(orsame-origin) to board responses.Severity: Low