calesthio/OptionsCanvas

v0.1.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d Self-Hosted

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

0dte algorithmic-trading alpaca charting day-trading fintech

+9 more

flask lightweight-charts local-first options options-trading python self-hosted trading-platform vanilla-js

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 6d

The v0.1.1 release tightens security for state‑changing API calls by enforcing CSRF token validation and restricting CORS origins to localhost.

Why it matters: All POST/PUT/PATCH/DELETE requests now require a per‑process CSRF token (X-CSRF-Token header) and will be rejected if the Origin header is not allowlisted as localhost, affecting any external client code that calls these endpoints.

Summary

AI summary

Updates Compatibility, app, and v0.1.0 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Restricts CORS allowlist to localhost origins for all endpoints. Restricts CORS allowlist to localhost origins for all endpoints. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	Critical	Enforces Origin header check for state‑changing requests, rejecting non‑allowlisted origins. Enforces Origin header check for state‑changing requests, rejecting non‑allowlisted origins. Source: llm_adapter@2026-05-29 Confidence: high	—
Security	Critical	Adds per-process CSRF token validation for all state‑changing API requests. Adds per-process CSRF token validation for all state‑changing API requests. Source: llm_adapter@2026-05-29 Confidence: low	—
Security	High	Adds per-process CSRF token injected into HTML via <meta name="csrf-token">. Adds per-process CSRF token injected into HTML via <meta name="csrf-token">. Source: granite4.1:30b@2026-05-29-audit Confidence: high	—
Security	High	Requires valid X-CSRF-Token header on all state‑changing API requests (POST/PUT/PATCH/DELETE). Requires valid X-CSRF-Token header on all state‑changing API requests (POST/PUT/PATCH/DELETE). Source: granite4.1:30b@2026-05-29-audit Confidence: high	—
Breaking	High	External scripts must read and include the CSRF token in X-CSRF-Token header for POST/PUT/PATCH/DELETE calls. External scripts must read and include the CSRF token in X-CSRF-Token header for POST/PUT/PATCH/DELETE calls. Source: llm_adapter@2026-05-29 Confidence: high	—

Full changelog

Recommended upgrade for everyone running v0.1.0.

What changed

Three layers of defense added against browser-based CSRF attacks on the locally-hosted server:

CORS allowlist restricted to localhost origins. Previously CORS(app) and cors_allowed_origins='*' accepted requests from any website. Now only http://127.0.0.1:<port> and http://localhost:<port> are allowed. SocketIO restricted the same way.
Per-process CSRF token. A random token is generated at server startup, injected into served HTML via a <meta name='csrf-token'> tag. The frontend reads it and sends X-CSRF-Token on every state-changing request. The backend rejects any POST / PUT / PATCH / DELETE without a matching token (constant-time compare). Only /api/health is exempt so Docker healthchecks keep working.
Origin header check. Belt-and-suspenders: state-changing requests with a non-allowlisted Origin header return 403 even if a token was somehow obtained.

Why this matters

The previous server (v0.1.0) was bound to 127.0.0.1 but accepted unauthenticated cross-origin POSTs. Any webpage you visited while OptionsCanvas was running — a compromised ad on a news site, a Discord-embedded link, a malicious blog post — could fire JavaScript like:

fetch('http://127.0.0.1:5001/api/open_position', {
  method: 'POST',
  body: JSON.stringify({...})
})

…and place real trades in your account without any visible signal. Localhost binding does not protect against this — the browser is already on localhost.

How to upgrade

git pull
# launcher will pick up changes on next start

Or, for Docker:

docker compose pull   # if you tag :latest
docker compose down && docker compose up -d --build

Refresh any open browser tabs after restart so the new CSRF token is loaded into the page.

Verified

End-to-end against a real Alpaca paper account:

✅ GET endpoints work unchanged (no token required, CORS still blocks cross-origin reads)
✅ POST without token → 403
✅ POST with invalid token → 403
✅ POST with valid token + foreign Origin → 403
✅ POST with valid token + correct Origin → 200 (legitimate flow)
✅ index.html + setup.html both serve the live token
✅ Token is per-process — same across both pages, rotates each restart

Compatibility

No breaking changes for users running the platform normally — the frontend was updated in the same commit, so a git pull + restart + browser refresh restores normal operation.
External scripts that POST to the API must now read the token from <meta name='csrf-token'> and send it as the X-CSRF-Token header.

Security Fixes

Adds three-layer CSRF protection: CORS allowlist, per‑process CSRF token, and Origin header verification to prevent unauthorized cross‑origin trades.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track calesthio/OptionsCanvas

Get notified when new releases ship.

About calesthio/OptionsCanvas

All releases →

Related context

Related tools

Mindustry