fix(security): 전체 서비스 보안 점검 — XSS·인가·토큰·헤더·에러마스킹 일괄 수정

Phase 1 CRITICAL XSS: - marked.parse() → DOMPurify.sanitize() (system3 ai-assistant, issues-management) - toast innerHTML에 escapeHtml 적용 (system1 api-base, system3 common-header) - onclick 핸들러 → data 속성 + addEventListener (system2 issue-detail) Phase 2 HIGH 인가: - getUserBalance 본인확인 추가 (tksupport vacationController) Phase 3 HIGH 토큰+CSP: - localStorage 토큰 저장 제거 — 쿠키 전용 (7개 서비스) - unsafe-eval CSP 제거 (system1 security.js) Phase 4 MEDIUM: - nginx 보안 헤더 추가 (8개 서비스) - 500 에러 메시지 마스킹 (5개 API) - path traversal 방지 (system3 file_service.py) - cookie fallback 데드코드 제거 (4개 auth.js) - /login/form rate limiting 추가 (sso-auth) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 19:50:00 +09:00
parent 86312c1af7
commit 12367dd3a1
81 changed files with 142 additions and 100 deletions
--- a/gateway/html/dashboard.html
+++ b/gateway/html/dashboard.html
@@ -773,10 +773,6 @@
                ssoCookie.set('sso_user', JSON.stringify(data.user), 7);
                if (data.refresh_token) ssoCookie.set('sso_refresh_token', data.refresh_token, 30);
                localStorage.setItem('sso_token', data.access_token);
                localStorage.setItem('sso_user', JSON.stringify(data.user));
                if (data.refresh_token) localStorage.setItem('sso_refresh_token', data.refresh_token);
                var redirect = new URLSearchParams(location.search).get('redirect');
                if (redirect && isSafeRedirect(redirect)) {
                    window.location.href = redirect;
--- a/gateway/html/shared/nav-header.js
+++ b/gateway/html/shared/nav-header.js
@@ -31,11 +31,11 @@
   */
  window.SSOAuth = {
    getToken: function() {
-      return cookieGet('sso_token') || localStorage.getItem('sso_token');
+      return cookieGet('sso_token');
    },
    getUser: function() {
-      var raw = cookieGet('sso_user') || localStorage.getItem('sso_user');
+      var raw = cookieGet('sso_user');
      try { return JSON.parse(raw); } catch(e) { return null; }
    },
--- a/gateway/nginx.conf
+++ b/gateway/nginx.conf
@@ -4,6 +4,10 @@ server {
    root /usr/share/nginx/html;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    # 대시보드 (로그인 포함)
    location = /dashboard {
        add_header Cache-Control "no-store, no-cache, must-revalidate";
--- a/sso-auth-service/controllers/authController.js
+++ b/sso-auth-service/controllers/authController.js
@@ -127,8 +127,17 @@ async function loginForm(req, res, next) {
      return res.status(400).json({ detail: 'Missing username or password' });
    }
    // Rate limiting (동일 로직: /login과 공유)
    const attemptKey = `login_attempts:${username}`;
    const attempts = parseInt(await redis.get(attemptKey)) || 0;
    if (attempts >= MAX_LOGIN_ATTEMPTS) {
      return res.status(429).json({ detail: '로그인 시도 횟수를 초과했습니다. 5분 후 다시 시도하세요' });
    }
    const user = await userModel.findByUsername(username);
    if (!user) {
      await redis.incr(attemptKey);
      await redis.expire(attemptKey, LOGIN_LOCKOUT_SECONDS);
      return res.status(401).json({ detail: 'Incorrect username or password' });
    }
@@ -139,9 +148,14 @@ async function loginForm(req, res, next) {
    const valid = await userModel.verifyPassword(password, user.password_hash);
    if (!valid) {
      await redis.incr(attemptKey);
      await redis.expire(attemptKey, LOGIN_LOCKOUT_SECONDS);
      return res.status(401).json({ detail: 'Incorrect username or password' });
    }
    // 로그인 성공 시 시도 횟수 초기화
    await redis.del(attemptKey);
    await userModel.updateLastLogin(user.user_id);
    const payload = createTokenPayload(user);
--- a/system1-factory/api/config/security.js
+++ b/system1-factory/api/config/security.js
@@ -19,7 +19,7 @@ const helmetOptions = {
    directives: {
      defaultSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
-      scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"], // 개발 중 unsafe-eval 허용
+      scriptSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:", "blob:"],
      fontSrc: ["'self'", "https://fonts.gstatic.com"],
      connectSrc: ["'self'", "https://api.technicalkorea.com"],
--- a/system1-factory/web/index.html
+++ b/system1-factory/web/index.html
@@ -10,7 +10,7 @@
  if('serviceWorker' in navigator){navigator.serviceWorker.getRegistrations().then(function(r){r.forEach(function(reg){reg.unregister()});})}
  if('caches' in window){caches.keys().then(function(k){k.forEach(function(key){caches.delete(key)})})}
  </script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script>
    // SSO 토큰 확인
    var token = window.getSSOToken ? window.getSSOToken() : (localStorage.getItem('sso_token') || localStorage.getItem('token'));
--- a/system1-factory/web/js/api-base.js
+++ b/system1-factory/web/js/api-base.js
@@ -193,7 +193,7 @@ if ('caches' in window) {
    var iconMap = { success: '\u2705', error: '\u274C', warning: '\u26A0\uFE0F', info: '\u2139\uFE0F' };
    var toast = document.createElement('div');
    toast.className = 'toast toast-' + type;
-    toast.innerHTML = '<span class="toast-icon">' + (iconMap[type] || '\u2139\uFE0F') + '</span><span class="toast-message">' + message + '</span>';
+    toast.innerHTML = '<span class="toast-icon">' + (iconMap[type] || '\u2139\uFE0F') + '</span><span class="toast-message">' + escapeHtml(message) + '</span>';
    container.appendChild(toast);
    setTimeout(function() { toast.classList.add('show'); }, 10);
--- a/system1-factory/web/js/auth.js
+++ b/system1-factory/web/js/auth.js
@@ -20,7 +20,7 @@ export function parseJwt(token) {
 */
 export function getToken() {
  if (window.getSSOToken) return window.getSSOToken();
-  return localStorage.getItem('sso_token');
+  return null;
 }
 /**
@@ -28,12 +28,7 @@ export function getToken() {
 */
 export function getUser() {
  if (window.getSSOUser) return window.getSSOUser();
-  const raw = localStorage.getItem('sso_user');
+  return null;
  try {
    return raw ? JSON.parse(raw) : null;
  } catch(e) {
    return null;
  }
 }
 /**
@@ -41,8 +36,7 @@ export function getUser() {
 * sso_token/sso_user 키로 저장합니다.
 */
 export function saveAuthData(token, user) {
-  localStorage.setItem('sso_token', token);
+  // 쿠키 기반 인증 — localStorage 저장 불필요 (gateway에서 쿠키 설정)
  localStorage.setItem('sso_user', JSON.stringify(user));
 }
 /**
@@ -50,9 +44,6 @@ export function saveAuthData(token, user) {
 */
 export function clearAuthData() {
  if (window.clearSSOAuth) { window.clearSSOAuth(); return; }
  localStorage.removeItem('sso_token');
  localStorage.removeItem('sso_user');
  localStorage.removeItem('userPageAccess');
 }
 /**
--- a/system1-factory/web/nginx.conf
+++ b/system1-factory/web/nginx.conf
@@ -4,6 +4,10 @@ server {
    client_max_body_size 50M;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    root /usr/share/nginx/html;
    index index.html;
--- a/system1-factory/web/pages/admin/attendance-report.html
+++ b/system1-factory/web/pages/admin/attendance-report.html
@@ -191,7 +191,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script type="module">
    import '/js/api-config.js?v=3';
--- a/system1-factory/web/pages/admin/departments.html
+++ b/system1-factory/web/pages/admin/departments.html
@@ -325,7 +325,7 @@
  </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="/js/department-management.js"></script>
  <script>initAuth();</script>
 </body>
--- a/system1-factory/web/pages/admin/equipment-detail.html
+++ b/system1-factory/web/pages/admin/equipment-detail.html
@@ -315,7 +315,7 @@
  </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script type="module">
    import '/js/api-config.js?v=3';
--- a/system1-factory/web/pages/admin/equipments.html
+++ b/system1-factory/web/pages/admin/equipments.html
@@ -191,7 +191,7 @@
  </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script type="module">
    import '/js/api-config.js?v=3';
--- a/system1-factory/web/pages/admin/issue-categories.html
+++ b/system1-factory/web/pages/admin/issue-categories.html
@@ -330,7 +330,7 @@
  </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script type="module" src="/js/issue-category-manage.js"></script>
  <script>initAuth();</script>
 </body>
--- a/system1-factory/web/pages/admin/notifications.html
+++ b/system1-factory/web/pages/admin/notifications.html
@@ -388,7 +388,7 @@
    </div>
    <script src="/static/js/tkfb-core.js?v=20260313"></script>
-    <script src="/js/api-base.js?v=3"></script>
+    <script src="/js/api-base.js?v=20260313"></script>
    <script>
        let currentPage = 1;
        let totalPages = 1;
--- a/system1-factory/web/pages/admin/projects.html
+++ b/system1-factory/web/pages/admin/projects.html
@@ -385,7 +385,7 @@
  </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script>
    let allProjects = [];
    let filteredProjects = [];
--- a/system1-factory/web/pages/admin/repair-management.html
+++ b/system1-factory/web/pages/admin/repair-management.html
@@ -488,7 +488,7 @@
    </div>
    <script src="/static/js/tkfb-core.js?v=20260313"></script>
-    <script src="/js/api-base.js?v=3"></script>
+    <script src="/js/api-base.js?v=20260313"></script>
    <script>
        let currentReportId = null;
        let allRepairs = [];
--- a/system1-factory/web/pages/admin/tasks.html
+++ b/system1-factory/web/pages/admin/tasks.html
@@ -286,7 +286,7 @@
  </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script>
    let workTypes = [];
    let tasks = [];
--- a/system1-factory/web/pages/admin/workplaces.html
+++ b/system1-factory/web/pages/admin/workplaces.html
@@ -432,7 +432,7 @@
  <!-- 작업장 관리 모듈 (리팩토링된 구조) -->
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="/js/workplace-management/state.js?v=1"></script>
  <script src="/js/workplace-management/utils.js?v=1"></script>
  <script src="/js/workplace-management/api.js?v=1"></script>
--- a/system1-factory/web/pages/attendance/annual-overview.html
+++ b/system1-factory/web/pages/attendance/annual-overview.html
@@ -329,7 +329,7 @@
  </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script>
    // axios 설정
--- a/system1-factory/web/pages/attendance/checkin.html
+++ b/system1-factory/web/pages/attendance/checkin.html
@@ -223,7 +223,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script>
    (function() {
--- a/system1-factory/web/pages/attendance/daily.html
+++ b/system1-factory/web/pages/attendance/daily.html
@@ -71,7 +71,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script>
    // axios 기본 설정
--- a/system1-factory/web/pages/attendance/monthly.html
+++ b/system1-factory/web/pages/attendance/monthly.html
@@ -475,7 +475,7 @@
  </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script>
    // axios 기본 설정
--- a/system1-factory/web/pages/attendance/my-vacation-info.html
+++ b/system1-factory/web/pages/attendance/my-vacation-info.html
@@ -266,7 +266,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script>
    // axios 설정
--- a/system1-factory/web/pages/attendance/vacation-allocation.html
+++ b/system1-factory/web/pages/attendance/vacation-allocation.html
@@ -354,7 +354,7 @@
  </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script type="module" src="/js/vacation-allocation.js" defer></script>
  <script>initAuth();</script>
 </body>
--- a/system1-factory/web/pages/attendance/vacation-approval.html
+++ b/system1-factory/web/pages/attendance/vacation-approval.html
@@ -124,7 +124,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script src="/js/vacation-common.js"></script>
  <script>
--- a/system1-factory/web/pages/attendance/vacation-input.html
+++ b/system1-factory/web/pages/attendance/vacation-input.html
@@ -124,7 +124,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script src="/js/vacation-common.js"></script>
  <script>
--- a/system1-factory/web/pages/attendance/vacation-management.html
+++ b/system1-factory/web/pages/attendance/vacation-management.html
@@ -206,7 +206,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script src="/js/vacation-common.js"></script>
  <script>
--- a/system1-factory/web/pages/attendance/vacation-request.html
+++ b/system1-factory/web/pages/attendance/vacation-request.html
@@ -118,7 +118,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script src="/js/vacation-common.js"></script>
  <script>
--- a/system1-factory/web/pages/attendance/work-status.html
+++ b/system1-factory/web/pages/attendance/work-status.html
@@ -277,7 +277,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
  <script>
    (function() {
--- a/system1-factory/web/pages/dashboard.html
+++ b/system1-factory/web/pages/dashboard.html
@@ -324,7 +324,7 @@
    </div>
    <script src="/static/js/tkfb-core.js?v=20260313"></script>
-    <script src="/js/api-base.js?v=3"></script>
+    <script src="/js/api-base.js?v=20260313"></script>
    <script type="module" src="/js/modern-dashboard.js?v=10"></script>
    <script type="module" src="/js/group-leader-dashboard.js?v=1"></script>
    <script src="/js/workplace-status.js?v=3"></script>
--- a/system1-factory/web/pages/inspection/daily-patrol.html
+++ b/system1-factory/web/pages/inspection/daily-patrol.html
@@ -210,7 +210,7 @@
    })();
  </script>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="/js/daily-patrol.js?v=6"></script>
  <script>initAuth();</script>
 </body>
--- a/system1-factory/web/pages/inspection/zone-detail.html
+++ b/system1-factory/web/pages/inspection/zone-detail.html
@@ -305,7 +305,7 @@
    })();
  </script>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="/js/zone-detail.js?v=6"></script>
  <script>initAuth();</script>
 </body>
--- a/system1-factory/web/pages/profile/info.html
+++ b/system1-factory/web/pages/profile/info.html
@@ -321,7 +321,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script type="module" src="/js/my-profile.js"></script>
  <script>initAuth();</script>
 </body>
--- a/system1-factory/web/pages/profile/password.html
+++ b/system1-factory/web/pages/profile/password.html
@@ -391,7 +391,7 @@
    </div>
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script type="module" src="/js/change-password.js"></script>
  <script>initAuth();</script>
 </body>
--- a/system1-factory/web/pages/work/analysis.html
+++ b/system1-factory/web/pages/work/analysis.html
@@ -278,7 +278,7 @@
    </div>
    <script src="/static/js/tkfb-core.js?v=20260313"></script>
-    <script src="/js/api-base.js?v=3"></script>
+    <script src="/js/api-base.js?v=20260313"></script>
    <script type="module" src="/js/work-analysis.js?v=5"></script>
    <script>
--- a/system1-factory/web/pages/work/report-create-mobile.html
+++ b/system1-factory/web/pages/work/report-create-mobile.html
@@ -190,7 +190,7 @@
  <!-- 공통 모듈 -->
  <script src="/static/js/tkfb-core.js?v=20260313"></script>
-  <script src="/js/api-base.js?v=3"></script>
+  <script src="/js/api-base.js?v=20260313"></script>
  <script src="/js/common/utils.js?v=1"></script>
  <script src="/js/common/base-state.js?v=1"></script>
--- a/system1-factory/web/pages/work/report-create.html
+++ b/system1-factory/web/pages/work/report-create.html
@@ -150,7 +150,7 @@
    </div>
    <script src="/static/js/tkfb-core.js?v=20260313"></script>
-    <script src="/js/api-base.js?v=3"></script>
+    <script src="/js/api-base.js?v=20260313"></script>
    <script src="/js/common/utils.js?v=1"></script>
    <script src="/js/common/base-state.js?v=1"></script>
    <script src="/js/daily-work-report/state.js?v=2"></script>
--- a/system1-factory/web/pages/work/tbm-create.html
+++ b/system1-factory/web/pages/work/tbm-create.html
@@ -844,7 +844,7 @@
    <!-- Scripts -->
    <script src="/static/js/tkfb-core.js?v=20260313"></script>
-    <script src="/js/api-base.js?v=3"></script>
+    <script src="/js/api-base.js?v=20260313"></script>
    <!-- 공통 모듈 -->
    <script src="/js/common/utils.js?v=2"></script>
    <script src="/js/common/base-state.js?v=2"></script>
--- a/system1-factory/web/pages/work/tbm-mobile.html
+++ b/system1-factory/web/pages/work/tbm-mobile.html
@@ -297,7 +297,7 @@
    <!-- 공통 모듈 -->
    <script src="/static/js/tkfb-core.js?v=20260313"></script>
-    <script src="/js/api-base.js?v=3"></script>
+    <script src="/js/api-base.js?v=20260313"></script>
    <script src="/js/common/utils.js?v=2"></script>
    <script src="/js/common/base-state.js?v=2"></script>
--- a/system1-factory/web/pages/work/tbm.html
+++ b/system1-factory/web/pages/work/tbm.html
@@ -561,7 +561,7 @@
    <div class="toast-container" id="toastContainer"></div>
    <script src="/static/js/tkfb-core.js?v=20260313"></script>
-    <script src="/js/api-base.js?v=3"></script>
+    <script src="/js/api-base.js?v=20260313"></script>
    <script src="/js/common/utils.js?v=2"></script>
    <script src="/js/common/base-state.js?v=2"></script>
    <script src="/js/tbm/state.js?v=3"></script>
--- a/system2-report/api/index.js
+++ b/system2-report/api/index.js
@@ -77,7 +77,7 @@ app.use((err, req, res, next) => {
  logger.error('API Error:', { error: err.message, path: req.path });
  res.status(statusCode).json({
    success: false,
-    error: err.message || 'Internal Server Error'
+    error: '서버 오류가 발생했습니다'
  });
 });
--- a/system2-report/web/js/api-base.js
+++ b/system2-report/web/js/api-base.js
@@ -38,11 +38,11 @@ if ('serviceWorker' in navigator) {
   * SSO 토큰 가져오기 (쿠키 우선, localStorage 폴백)
   */
  window.getSSOToken = function() {
-    return cookieGet('sso_token') || localStorage.getItem('sso_token');
+    return cookieGet('sso_token');
  };
  window.getSSOUser = function() {
-    var raw = cookieGet('sso_user') || localStorage.getItem('sso_user');
+    var raw = cookieGet('sso_user');
    try { return raw ? JSON.parse(raw) : null; } catch(e) { return null; }
  };
--- a/system2-report/web/js/issue-detail.js
+++ b/system2-report/web/js/issue-detail.js
@@ -232,11 +232,15 @@ function renderPhotos(d) {
  gallery.innerHTML = photos.map(photo => {
    const fullUrl = photo.startsWith('http') ? photo : `${baseUrl}${photo}`;
    return `
-      <div class="photo-item" onclick="openPhotoModal('${fullUrl}')">
+      <div class="photo-item" data-url="${escapeHtml(fullUrl)}">
-        <img src="${fullUrl}" alt="첨부 사진">
+        <img src="${escapeHtml(fullUrl)}" alt="첨부 사진">
      </div>
    `;
  }).join('');
  gallery.querySelectorAll('.photo-item[data-url]').forEach(el => {
    el.addEventListener('click', () => openPhotoModal(el.dataset.url));
  });
 }
 /**
--- a/system2-report/web/nginx.conf
+++ b/system2-report/web/nginx.conf
@@ -5,6 +5,10 @@ server {
    root /usr/share/nginx/html;
    index pages/safety/issue-report.html;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    # 사진 업로드를 위한 body 크기 제한 (base64 인코딩 시 원본 대비 ~33% 증가)
    client_max_body_size 50m;
--- a/system2-report/web/pages/safety/issue-detail.html
+++ b/system2-report/web/pages/safety/issue-detail.html
@@ -472,6 +472,6 @@
        </div>
    </div>
-    <script src="/js/issue-detail.js?v=1"></script>
+    <script src="/js/issue-detail.js?v=20260313"></script>
 </body>
 </html>
--- a/system3-nonconformance/api/main.py
+++ b/system3-nonconformance/api/main.py
@@ -73,9 +73,11 @@ async def health_check():
 # 전역 예외 처리
@app.exception_handler(Exception)
 async def global_exception_handler(request: Request, exc: Exception):
    import traceback
    traceback.print_exc()
    return JSONResponse(
        status_code=500,
-        content={"detail": f"Internal server error: {str(exc)}"}
+        content={"detail": "서버 오류가 발생했습니다"}
    )
 if __name__ == "__main__":
--- a/system3-nonconformance/api/services/file_service.py
+++ b/system3-nonconformance/api/services/file_service.py
@@ -129,7 +129,9 @@ def delete_file(filepath: str):
    try:
        if filepath and filepath.startswith("/uploads/"):
            filename = filepath.replace("/uploads/", "")
-            full_path = os.path.join(UPLOAD_DIR, filename)
+            full_path = os.path.normpath(os.path.join(UPLOAD_DIR, filename))
            if not full_path.startswith(os.path.normpath(UPLOAD_DIR)):
                raise ValueError("잘못된 파일 경로")
            if os.path.exists(full_path):
                os.remove(full_path)
    except Exception as e:
--- a/system3-nonconformance/web/ai-assistant.html
+++ b/system3-nonconformance/web/ai-assistant.html
@@ -10,6 +10,7 @@
    <link rel="stylesheet" href="/static/css/tkqc-common.css?v=20260306">
    <link rel="stylesheet" href="/static/css/ai-assistant.css?v=20260307">
    <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
    <script src="/static/js/lib/purify.min.js"></script>
 </head>
 <body>
    <!-- 로딩 스크린 -->
@@ -273,13 +274,13 @@
    <!-- 스크립트 -->
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/core/page-manager.js?v=20260308"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
    <script src="/static/js/utils/issue-helpers.js?v=20260308"></script>
    <script src="/static/js/utils/toast.js?v=20260308"></script>
    <script src="/static/js/components/mobile-bottom-nav.js?v=20260308"></script>
-    <script src="/static/js/pages/ai-assistant.js?v=20260308"></script>
+    <script src="/static/js/pages/ai-assistant.js?v=20260313"></script>
 </body>
 </html>
--- a/system3-nonconformance/web/issue-view.html
+++ b/system3-nonconformance/web/issue-view.html
@@ -108,7 +108,7 @@
    <!-- Scripts -->
    <script src="/static/js/date-utils.js?v=20260308"></script>
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/core/page-manager.js?v=20260308"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
--- a/system3-nonconformance/web/issues-archive.html
+++ b/system3-nonconformance/web/issues-archive.html
@@ -198,7 +198,7 @@
    <!-- Scripts -->
    <script src="/static/js/date-utils.js?v=20260308"></script>
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/core/page-manager.js?v=20260308"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
--- a/system3-nonconformance/web/issues-dashboard.html
+++ b/system3-nonconformance/web/issues-dashboard.html
@@ -551,7 +551,7 @@
    <!-- 스크립트 -->
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/core/page-manager.js?v=20260308"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
--- a/system3-nonconformance/web/issues-inbox.html
+++ b/system3-nonconformance/web/issues-inbox.html
@@ -370,7 +370,7 @@
    <!-- Scripts -->
    <script src="/static/js/date-utils.js?v=20260308"></script>
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/core/page-manager.js?v=20260308"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
--- a/system3-nonconformance/web/issues-management.html
+++ b/system3-nonconformance/web/issues-management.html
@@ -20,6 +20,7 @@
    <link rel="stylesheet" href="/static/css/tkqc-common.css?v=20260213">
    <link rel="stylesheet" href="/static/css/issues-management.css?v=20260213">
    <script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
    <script src="/static/js/lib/purify.min.js"></script>
 </head>
 <body>
    <!-- 공통 헤더가 여기에 자동으로 삽입됩니다 -->
@@ -339,7 +340,7 @@
    <!-- Scripts -->
    <script src="/static/js/date-utils.js?v=20260308"></script>
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/core/page-manager.js?v=20260308"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
@@ -347,6 +348,6 @@
    <script src="/static/js/utils/photo-modal.js?v=20260308"></script>
    <script src="/static/js/utils/toast.js?v=20260308"></script>
    <script src="/static/js/components/mobile-bottom-nav.js?v=20260308"></script>
-    <script src="/static/js/pages/issues-management.js?v=20260308"></script>
+    <script src="/static/js/pages/issues-management.js?v=20260313"></script>
 </body>
 </html>
--- a/system3-nonconformance/web/nginx.conf
+++ b/system3-nonconformance/web/nginx.conf
@@ -4,6 +4,10 @@ server {
    client_max_body_size 10M;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    root /usr/share/nginx/html;
    index issues-dashboard.html;
--- a/system3-nonconformance/web/reports-daily.html
+++ b/system3-nonconformance/web/reports-daily.html
@@ -183,7 +183,7 @@
    <!-- JavaScript -->
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
--- a/system3-nonconformance/web/reports-monthly.html
+++ b/system3-nonconformance/web/reports-monthly.html
@@ -70,7 +70,7 @@
    <!-- JavaScript -->
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
--- a/system3-nonconformance/web/reports-weekly.html
+++ b/system3-nonconformance/web/reports-weekly.html
@@ -69,7 +69,7 @@
    <!-- JavaScript -->
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
--- a/system3-nonconformance/web/reports.html
+++ b/system3-nonconformance/web/reports.html
@@ -171,7 +171,7 @@
    <!-- JavaScript -->
    <script src="/static/js/core/permissions.js?v=20260308"></script>
-    <script src="/static/js/components/common-header.js?v=20260308"></script>
+    <script src="/static/js/components/common-header.js?v=20260313"></script>
    <script src="/static/js/api.js?v=20260308"></script>
    <script src="/static/js/core/auth-manager.js?v=20260313"></script>
--- a/system3-nonconformance/web/static/js/components/common-header.js
+++ b/system3-nonconformance/web/static/js/components/common-header.js
@@ -641,7 +641,8 @@ class CommonHeader {
        }`;
        const icon = type === 'success' ? 'fa-check-circle' : 'fa-exclamation-circle';
-        toast.innerHTML = `<i class="fas ${icon} mr-2"></i>${message}`;
+        const _esc = s => { const d = document.createElement('div'); d.textContent = s; return d.innerHTML; };
        toast.innerHTML = `<i class="fas ${icon} mr-2"></i>${_esc(message)}`;
        document.body.appendChild(toast);
--- a/system3-nonconformance/web/static/js/core/auth-manager.js
+++ b/system3-nonconformance/web/static/js/core/auth-manager.js
@@ -72,14 +72,14 @@ class AuthManager {
     * SSO 토큰 가져오기 (쿠키 우선, localStorage 폴백)
     */
    _getToken() {
-        return this._cookieGet('sso_token') || localStorage.getItem('sso_token');
+        return this._cookieGet('sso_token');
    }
    /**
     * SSO 사용자 정보 가져오기 (쿠키 우선, localStorage 폴백)
     */
    _getUser() {
-        const ssoUser = this._cookieGet('sso_user') || localStorage.getItem('sso_user');
+        const ssoUser = this._cookieGet('sso_user');
        if (ssoUser && ssoUser !== 'undefined' && ssoUser !== 'null') {
            try { return JSON.parse(ssoUser); } catch(e) {}
        }
--- a/system3-nonconformance/web/static/js/lib/purify.min.js
+++ b/system3-nonconformance/web/static/js/lib/purify.min.js
--- a/system3-nonconformance/web/static/js/pages/ai-assistant.js
+++ b/system3-nonconformance/web/static/js/pages/ai-assistant.js
@@ -196,7 +196,7 @@ function appendChatMessage(role, content, sources) {
    const contentDiv = document.createElement('div');
    if (role === 'ai' && typeof marked !== 'undefined') {
        contentDiv.className = 'text-sm prose prose-sm max-w-none';
-        contentDiv.innerHTML = marked.parse(content);
+        contentDiv.innerHTML = DOMPurify.sanitize(marked.parse(content));
    } else {
        contentDiv.className = 'text-sm whitespace-pre-line';
        contentDiv.textContent = content;
--- a/system3-nonconformance/web/static/js/pages/issues-management.js
+++ b/system3-nonconformance/web/static/js/pages/issues-management.js
@@ -990,7 +990,7 @@ async function aiSuggestSolution() {
        const raw = data.suggestion || '';
        content.dataset.raw = raw;
        if (typeof marked !== 'undefined') {
-            content.innerHTML = marked.parse(raw);
+            content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
        } else {
            content.textContent = raw;
        }
@@ -1030,7 +1030,7 @@ async function aiSuggestSolutionInline(issueId) {
        const raw = data.suggestion || '';
        content.dataset.raw = raw;
        if (typeof marked !== 'undefined') {
-            content.innerHTML = marked.parse(raw);
+            content.innerHTML = DOMPurify.sanitize(marked.parse(raw));
        } else {
            content.textContent = raw;
        }
--- a/tkpurchase/api/index.js
+++ b/tkpurchase/api/index.js
@@ -56,7 +56,7 @@ app.use((err, req, res, next) => {
  console.error('tkpurchase-api Error:', err.message);
  res.status(err.status || 500).json({
    success: false,
-    error: err.message || 'Internal Server Error'
+    error: '서버 오류가 발생했습니다'
  });
 });
--- a/tkpurchase/api/middleware/auth.js
+++ b/tkpurchase/api/middleware/auth.js
@@ -25,9 +25,6 @@ function extractToken(req) {
  if (authHeader && authHeader.startsWith('Bearer ')) {
    return authHeader.split(' ')[1];
  }
  if (req.cookies && req.cookies.sso_token) {
    return req.cookies.sso_token;
  }
  return null;
 }
--- a/tkpurchase/web/nginx.conf
+++ b/tkpurchase/web/nginx.conf
@@ -3,6 +3,10 @@ server {
    server_name _;
    charset utf-8;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    root /usr/share/nginx/html;
    index index.html;
--- a/tksafety/api/index.js
+++ b/tksafety/api/index.js
@@ -70,7 +70,7 @@ app.use((err, req, res, next) => {
  console.error('tksafety-api Error:', err.message);
  res.status(err.status || 500).json({
    success: false,
-    error: err.message || 'Internal Server Error'
+    error: '서버 오류가 발생했습니다'
  });
 });
--- a/tksafety/api/middleware/auth.js
+++ b/tksafety/api/middleware/auth.js
@@ -25,9 +25,6 @@ function extractToken(req) {
  if (authHeader && authHeader.startsWith('Bearer ')) {
    return authHeader.split(' ')[1];
  }
  if (req.cookies && req.cookies.sso_token) {
    return req.cookies.sso_token;
  }
  return null;
 }
--- a/tksafety/web/nginx.conf
+++ b/tksafety/web/nginx.conf
@@ -2,6 +2,11 @@ server {
    listen 80;
    server_name _;
    charset utf-8;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    root /usr/share/nginx/html;
    index index.html;
--- a/tksupport/api/controllers/vacationController.js
+++ b/tksupport/api/controllers/vacationController.js
@@ -246,6 +246,12 @@ const vacationController = {
  async getUserBalance(req, res) {
    try {
      const { userId } = req.params;
      const requestedId = parseInt(userId);
      const currentUserId = req.user.user_id || req.user.id;
      const role = (req.user.role || '').toLowerCase();
      if (requestedId !== currentUserId && !['admin', 'system'].includes(role)) {
        return res.status(403).json({ success: false, error: '접근 권한이 없습니다' });
      }
      const year = parseInt(req.query.year) || new Date().getFullYear();
      const balances = await vacationBalanceModel.getByUserAndYear(userId, year);
      const hireDate = await vacationBalanceModel.getUserHireDate(userId);
--- a/tksupport/api/index.js
+++ b/tksupport/api/index.js
@@ -46,7 +46,7 @@ app.use((err, req, res, next) => {
  console.error('tksupport-api Error:', err.message);
  res.status(err.status || 500).json({
    success: false,
-    error: err.message || 'Internal Server Error'
+    error: '서버 오류가 발생했습니다'
  });
 });
--- a/tksupport/api/middleware/auth.js
+++ b/tksupport/api/middleware/auth.js
@@ -25,9 +25,6 @@ function extractToken(req) {
  if (authHeader && authHeader.startsWith('Bearer ')) {
    return authHeader.split(' ')[1];
  }
  if (req.cookies && req.cookies.sso_token) {
    return req.cookies.sso_token;
  }
  return null;
 }
--- a/tksupport/web/index.html
+++ b/tksupport/web/index.html
@@ -120,7 +120,7 @@
        </div>
    </div>
-    <script src="/static/js/tksupport-core.js?v=2"></script>
+    <script src="/static/js/tksupport-core.js?v=20260313"></script>
    <script>
    let vacationTypes = [];
--- a/tksupport/web/nginx.conf
+++ b/tksupport/web/nginx.conf
@@ -2,6 +2,11 @@ server {
    listen 80;
    server_name _;
    charset utf-8;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    root /usr/share/nginx/html;
    index index.html;
--- a/tksupport/web/static/js/tksupport-core.js
+++ b/tksupport/web/static/js/tksupport-core.js
@@ -12,7 +12,7 @@ const API_BASE = '/api';
 /* ===== Token ===== */
 function _cookieGet(n) { const m = document.cookie.match(new RegExp('(?:^|; )' + n + '=([^;]*)')); return m ? decodeURIComponent(m[1]) : null; }
 function _cookieRemove(n) { let c = n + '=; path=/; max-age=0'; if (location.hostname.includes('technicalkorea.net')) c += '; domain=.technicalkorea.net; secure; samesite=lax'; document.cookie = c; }
-function getToken() { return _cookieGet('sso_token') || localStorage.getItem('sso_token'); }
+function getToken() { return _cookieGet('sso_token'); }
 function getLoginUrl() {
    const h = location.hostname;
    const t = Date.now();
@@ -116,7 +116,6 @@ function initAuth() {
    const decoded = decodeToken(token);
    if (!decoded) { _safeRedirect(); return false; }
    sessionStorage.removeItem(_REDIRECT_KEY);
    if (!localStorage.getItem('sso_token')) localStorage.setItem('sso_token', token);
    currentUser = {
        id: decoded.user_id || decoded.id,
        username: decoded.username || decoded.sub,
--- a/tksupport/web/vacation-approval.html
+++ b/tksupport/web/vacation-approval.html
@@ -192,7 +192,7 @@
        </div>
    </div>
-    <script src="/static/js/tksupport-core.js?v=2"></script>
+    <script src="/static/js/tksupport-core.js?v=20260313"></script>
    <script>
    let reviewAction = '';
    let reviewRequestId = null;
--- a/tksupport/web/vacation-request.html
+++ b/tksupport/web/vacation-request.html
@@ -81,7 +81,7 @@
        </div>
    </div>
-    <script src="/static/js/tksupport-core.js?v=2"></script>
+    <script src="/static/js/tksupport-core.js?v=20260313"></script>
    <script>
    async function initRequestPage() {
        if (!initAuth()) return;
--- a/tksupport/web/vacation-status.html
+++ b/tksupport/web/vacation-status.html
@@ -90,7 +90,7 @@
        </div>
    </div>
-    <script src="/static/js/tksupport-core.js?v=2"></script>
+    <script src="/static/js/tksupport-core.js?v=20260313"></script>
    <script>
    async function initStatusPage() {
        if (!initAuth()) return;
--- a/user-management/api/middleware/auth.js
+++ b/user-management/api/middleware/auth.js
@@ -15,9 +15,6 @@ function extractToken(req) {
  if (authHeader && authHeader.startsWith('Bearer ')) {
    return authHeader.split(' ')[1];
  }
  if (req.cookies && req.cookies.sso_token) {
    return req.cookies.sso_token;
  }
  return null;
 }
--- a/user-management/web/nginx.conf
+++ b/user-management/web/nginx.conf
@@ -3,6 +3,10 @@ server {
    server_name _;
    charset utf-8;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    root /usr/share/nginx/html;
    index index.html;