akanealw/caddy-proxy-manager
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
9940bea058ccfd090d27bd834ba0fcd4e4322d24
caddy-proxy-manager/app/api
History
fuomag9 881992b6cc Restrict analytics, GeoIP status, and OpenAPI spec to admin role 
Pentest found that all 8 analytics API endpoints, the GeoIP status
endpoint, and the OpenAPI spec were accessible to any authenticated
user. Since the user role should only have access to forward auth
and self-service, these are now admin-only.

- analytics/*: requireUser → requireAdmin
- geoip-status: requireUser → requireAdmin
- openapi.json: add requireApiAdmin + change Cache-Control to private
- analytics/api-docs pages: requireUser → requireAdmin (defense-in-depth)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 00:02:13 +02:00
..
analytics
Restrict analytics, GeoIP status, and OpenAPI spec to admin role
2026-04-06 00:02:13 +02:00
auth
security: add same-origin CSRF check to state-changing user API routes
2026-03-05 01:04:18 +01:00
forward-auth
Fix forward auth security vulnerabilities found during pentest
2026-04-06 00:01:10 +02:00
geoip-status
Restrict analytics, GeoIP status, and OpenAPI spec to admin role
2026-04-06 00:02:13 +02:00
health
Add health check endpoint and fix Caddy HTTPS on startup
2025-11-03 19:17:13 +01:00
instances/sync
chore: remove finding-ID prefixes from code comments
2026-03-26 12:51:39 +01:00
l4-ports
feat: add L4 (TCP/UDP) proxy host support via caddy-l4
2026-03-22 00:11:16 +01:00
user
chore: remove finding-ID prefixes from code comments
2026-03-26 12:51:39 +01:00
v1
Restrict analytics, GeoIP status, and OpenAPI spec to admin role
2026-04-06 00:02:13 +02:00
waf-events
feat: integrate Coraza WAF with full UI and event logging
2026-03-03 22:16:34 +01:00