Hahn-Solo Product Management
  • Dashboard
  • Technologies
  • Competitors
  • Tasks
Theme
Basic Information
Status
Open
Priority
Next
Category
Security
Repo
SCB PM
Effort
Trivial
Task ID
T-798B544C
Details
Audit JSSDeploymentSecret in xmcloud.build.json
The `xmcloud.build.json` file contains a hardcoded `jssDeploymentSecret` value (`110F1C44A496B45478640DD36F80C18C9`) that is identical across all 7 rendering host entries. While this is expected for a starter template (developers should rotate it), add a comment or README warning that this value MUST be rotated before production deployment. Consider adding a CI check that fails if the default secret is detected in a non-template context.
Why
A hardcoded deployment secret in a public GitHub template is a known attack vector. If developers fork the repo and deploy without rotating the secret, their editing host endpoint is compromised. The Sitecore security advisory for CVE-2025-53690 (default machine keys) shows this class of issue has been actively exploited.
Evidence
`xmcloud.build.json` inspection; CVE-2025-53690 precedent
Details
Context: The `xmcloud.build.json` file ships with an identical `jssDeploymentSecret` value across all 7 rendering hosts. This is a known-value secret in a public GitHub template. The CVE-2025-53690 incident (Sitecore ViewState deserialization zero-day exploited via default machine keys) demonstrates that default secrets in public templates are actively targeted by threat actors. While developers are expected to rotate this value, there is no guardrail preventing deployment with the default.

Steps:
1. Add a prominent warning in the root README under the Local Development Setup section: "WARNING: Rotate `jssDeploymentSecret` in `xmcloud.build.json` before deploying to any non-local environment."
2. Add inline comments in `xmcloud.build.json` above each `jssDeploymentSecret` entry.
3. Consider adding a CI check in the DMZ validation workflow that fails if the default secret value `110F1C44A496B45478640DD36F80C18C9` is detected (with an override for the template repo itself).

Acceptance criteria:
README contains a visible warning about rotating the deployment secret
`xmcloud.build.json` has inline documentation about the secret
Optional: CI check validates secret rotation

Risks: None identified. This is a documentation and guardrail improvement.
Source Report
reports/product-management/scb/2026-04-05-scb-pm.md
Report date: Apr 5, 2026