KLKLine FrontendDashboard · Preview · Embed shell

F062 · security

Security evidence audit

Static and browser evidence policy for no runtime/admin token leakage in snippets, DOM, URL, postMessage, logs and screenshots.

Token leakage

Needs browser scan

static checks pass; browser evidence pending.

Forbidden patterns

8

Policy

redacted

Forbidden evidence patterns

Pattern 1
runtime_token=
Pattern 2
token=
Pattern 3
Authorization:
Pattern 4
Bearer
Pattern 5
x-runtime-token:
Pattern 6
ADMIN_TOKEN
Pattern 7
PROVIDER_SECRET
Pattern 8
PRIVATE_KEY
PASS

Snippet public identity only

Generated snippet contains widget id and public key only; no runtime/admin token.

PASS

Runtime token not in URL

Runtime data clients use headers/auth paths and loader never handles runtime token values.

PASS

postMessage redaction

Embed runtime sends ready/error/resize only and must not post runtime token.

WARNING

Source/report forbidden pattern scan

Static scanner script is added; run locally after pnpm install/build for complete artifact coverage.

WARNING

DOM/URL screenshot scan

Requires Playwright/browser execution before beta release.