lerko
025b1b61d0
The public status JSON endpoint was serializing full Site structs including heartbeat tokens. An attacker could extract tokens and forge heartbeats to suppress DOWN alerts. Now tokens are stripped before encoding. Backup/export endpoint is unaffected.