# MPC Security Hardening Report — v6.82.190

- Generated: `2026-07-12T02:32:52+02:00`
- Production dependency audit: **0 vulnerabilities**
- Secret-pattern scan: **no high-confidence credential or private-key match**
- Forbidden packaged secret files: **none found**
- Production source maps remaining: **0**

## Corrected vulnerabilities

1. **Validator-visible asset 404s** — custom listing images supported GET but not HEAD. Added bodyless 200 HEAD handling and regression coverage.
2. **Public route HEAD parity** — `/sitemap` and `/admin-signin-fallback` returned 404 to HEAD. Added GET/HEAD parity.
3. **Generated source-map retention** — two server source maps were created by Next. The clean-build pipeline now removes all `.map` files from production server/static output.

## Verified response headers

| Header | Observed value |
|---|---|
| Content-Security-Policy | `default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; form-action 'self' mailto:; script-src 'self' 'nonce-MOcKfBhwl3woNNYfogx1rg==' 'strict-dynamic' https://www.googletagmanager.com https://www.google-analytics.com https://connect.facebook.net; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://stats.g.doubleclick.net https://region1.google-analytics.com https://www.facebook.com; frame-src 'self' https://www.google.com https://maps.google.com; worker-src 'self' blob:; media-src 'self' blob:; manifest-src 'self'; upgrade-insecure-requests` |
| Strict-Transport-Security | `max-age=31536000; includeSubDomains` |
| X-Content-Type-Options | `nosniff` |
| X-Frame-Options | `SAMEORIGIN` |
| Referrer-Policy | `strict-origin-when-cross-origin` |
| Permissions-Policy | `camera=(), microphone=(), geolocation=(), payment=(), usb=(), browsing-topics=()` |
| Cross-Origin-Opener-Policy | `same-origin` |
| Cross-Origin-Resource-Policy | `same-site` |
| X-Robots-Tag | `noindex, nofollow, noarchive` |
| X-Request-ID | `8f6517c5-79ff-4874-a9dc-8edf7b407216` |

## Authentication, session and upload findings

- Missing `MPC_ADMIN_PASSWORD` leaves public pages online while admin sign-in remains locked.
- Admin and cron secrets are header/form based; no secret query-string acceptance was detected.
- Existing upload controls validate decoded images, file signatures/types, dimensions and atomic replacement; SVG executable upload handling remains restricted.
- Runtime storage is forced outside the application package so deployments cannot erase uploads/state.
- Staging rejects production-labelled database names and safely defaults to isolated JSON storage when MySQL is incomplete.

## Dependency and source exposure evidence

- `npm audit --omit=dev --audit-level=high`: zero vulnerabilities.
- Source lint passed for direct secret logging, response disclosure, request-path injection and unsafe request-derived HTML injection.
- Requests for `/.env` and `/server.js` return intentional 410 responses.

## Residual environment risks

Actual certificate-chain validity, cPanel account permissions, staging-only credentials, database least privilege, WAF/CDN behaviour, provider dashboards, backup restoration and external monitoring require deployment-side verification. No actual secret value is included in this package.

## API preflight hardening — v6.82.190

- `/api/*` OPTIONS requests terminate with 204 instead of falling through to a 404 page.
- The response does not emit `Access-Control-Allow-Origin`; cross-origin access remains denied by default.
- Regression contracts prevent accidental wildcard CORS enablement.
- Verified on `2026-07-12T09:32:10+02:00` with `OPTIONS /api/mpc/contact-intake` returning 204.
