fix(security): strip push tokens from /status/json response #14

2026-05-16T19:57:32Z

lerko commented

2026-05-16 19:57:32 +00:00

Summary

Public /status/json endpoint was exposing push monitor heartbeat tokens
Attacker could extract tokens and forge heartbeats to suppress DOWN alerts
Tokens now stripped before JSON encoding
Backup/export endpoint unaffected (still includes tokens for restore)

Test plan

go test ./... passes
curl /status/json — verify Token field is empty for push monitors
curl -H "X-Upkeep-Secret: key" /api/backup/export — verify Token field still present

## Summary - Public `/status/json` endpoint was exposing push monitor heartbeat tokens - Attacker could extract tokens and forge heartbeats to suppress DOWN alerts - Tokens now stripped before JSON encoding - Backup/export endpoint unaffected (still includes tokens for restore) ## Test plan - [x] `go test ./...` passes - [ ] `curl /status/json` — verify Token field is empty for push monitors - [ ] `curl -H "X-Upkeep-Secret: key" /api/backup/export` — verify Token field still present

lerko added 1 commit 2026-05-16 19:57:32 +00:00

fix(security): strip push tokens from /status/json response 025b1b61d0

The public status JSON endpoint was serializing full Site structs
including heartbeat tokens. An attacker could extract tokens and
forge heartbeats to suppress DOWN alerts. Now tokens are stripped
before encoding. Backup/export endpoint is unaffected.

lerko merged commit 887b8240f8 into develop

2026-05-16 19:57:42 +00:00

lerko referenced this issue from a commit

2026-05-16 19:57:43 +00:00

Merge pull request 'fix(security): strip push tokens from /status/json response' (#14) from fix/status-json-token-exposure into develop

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lerkolabs/uptop#14