SID-HARD-05 — Browser Security Controls

Property	Value
Owner	platform
Category	technical
CSF Function	protect
Group	System Hardening Controls

Description

React SPA with SVG sanitization. WebCrypto API for all crypto operations (no JS crypto libraries). Standard browser security: same-origin policy, CORS enforcement. CSP headers NOT yet configured (missing from nginx.conf and index.html). SRI (Subresource Integrity) only via Workbox precache — not on script tags in index.html. Trusted Types used for SW registration only. Needs: CSP meta tag or nginx header, SRI attributes on all script/link tags in build output.

Components

Wallet Frontend

Source References

wallet-frontend/
wallet-frontend/nginx/nginx.conf
wallet-frontend/index.html

Framework Requirements

EUDI Security Requirements: WIN-8.4.1-Sec-03, WIN-8.4.2-Sec-01, WIN-8.4.2-Sec-02, WIN-8.4.3-Sec-06, WIN-8.4.4-01

FitCEM Wallet Instance: FIT-PI-01

ISO 27001 Annex A: A.8.1, A.8.7, A.8.12, A.8.26

OWASP ASVS 4.0.3 Level 3: V8.2, V10.3, V14.4

STRIDE Threat Model: WF-I-1, WF-I-2

Description​

Components​

Source References​

Framework Requirements​

Description

Components

Source References

Framework Requirements