From 025b1b61d00bf0cc806e9f53a0c6ea60b06da98a Mon Sep 17 00:00:00 2001
From: Tyler Koenig <tyler@lerkolabs.com>
Date: Sat, 16 May 2026 15:45:09 -0400
Subject: [PATCH] fix(security): strip push tokens from /status/json response

The public status JSON endpoint was serializing full Site structs
including heartbeat tokens. An attacker could extract tokens and
forge heartbeats to suppress DOWN alerts. Now tokens are stripped
before encoding. Backup/export endpoint is unaffected.
---
 internal/server/server.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/server/server.go b/internal/server/server.go
index 6f70df1..49f21a2 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -358,8 +358,13 @@ func Start(cfg ServerConfig, s store.Store, eng *monitor.Engine) {
 	if cfg.EnableStatus {
 		mux.HandleFunc("/status", func(w http.ResponseWriter, r *http.Request) { renderStatusPage(w, cfg.Title, eng) })
 		mux.HandleFunc("/status/json", func(w http.ResponseWriter, r *http.Request) {
+			state := eng.GetLiveState()
+			for id, site := range state {
+				site.Token = ""
+				state[id] = site
+			}
 			w.Header().Set("Content-Type", "application/json")
-			json.NewEncoder(w).Encode(eng.GetLiveState())
+			json.NewEncoder(w).Encode(state)
 		})
 	}
 
-- 
2.52.0