fix(security): strip push tokens from /status/json response #14

Merged

lerko merged 1 commits from fix/status-json-token-exposure into develop

2026-05-16 19:57:42 +00:00

Author	SHA1	Message	Date
lerko	025b1b61d0	fix(security): strip push tokens from /status/json response The public status JSON endpoint was serializing full Site structs including heartbeat tokens. An attacker could extract tokens and forge heartbeats to suppress DOWN alerts. Now tokens are stripped before encoding. Backup/export endpoint is unaffected.	2026-05-16 15:45:09 -04:00

Author

SHA1

Message

Date

lerko

025b1b61d0

fix(security): strip push tokens from /status/json response

The public status JSON endpoint was serializing full Site structs
including heartbeat tokens. An attacker could extract tokens and
forge heartbeats to suppress DOWN alerts. Now tokens are stripped
before encoding. Backup/export endpoint is unaffected.

2026-05-16 15:45:09 -04:00

fix(security): strip push tokens from /status/json response #14

1 Commits