Severity: Low
Area: Web — info exposure
Location
web/src/app/api/workspaces/[workspace]/favicon/route.ts:9-47
Problem
The favicon route has no session/membership check — anyone who knows a workspace slug can fetch its custom favicon bytes and confirm the workspace exists.
Why it matters
Favicons are low-sensitivity and intended to render pre-auth (tab icon), so impact is minor. Noting because it is the one [workspace] route with zero auth, and it enables workspace-existence probing.
Suggested fix
Acceptable to leave as-is given the pre-auth rendering requirement; if existence-probing is a concern, serve a generic default for unknown/unauthorized slugs. (The faviconKind redirect path is already safe — CHECK-constrained enum per migration 0008.)
Severity: Low
Area: Web — info exposure
Location
web/src/app/api/workspaces/[workspace]/favicon/route.ts:9-47Problem
The favicon route has no session/membership check — anyone who knows a workspace slug can fetch its custom favicon bytes and confirm the workspace exists.
Why it matters
Favicons are low-sensitivity and intended to render pre-auth (tab icon), so impact is minor. Noting because it is the one
[workspace]route with zero auth, and it enables workspace-existence probing.Suggested fix
Acceptable to leave as-is given the pre-auth rendering requirement; if existence-probing is a concern, serve a generic default for unknown/unauthorized slugs. (The
faviconKindredirect path is already safe — CHECK-constrained enum per migration0008.)