Hi,
The GET /api/config endpoint returns all configuration values in plaintext, including API keys like INSIGHT_ENGINE_API_KEY, MEDIA_ENGINE_API_KEY, etc. There's no authentication on this endpoint, so anyone with network access can read (and write via POST) the full config.
This was also reported in #620 — it looks like a number of deployments have already been affected.
As a first step, I think masking the sensitive values in the GET response would help. I've got a fix that replaces API key values with masked versions (e.g., ***abcd) so the frontend can still show that a key is configured without exposing the actual value.
A more complete fix would add authentication to these endpoints, but that's a bigger change — happy to discuss.
Hi,
The GET
/api/configendpoint returns all configuration values in plaintext, including API keys likeINSIGHT_ENGINE_API_KEY,MEDIA_ENGINE_API_KEY, etc. There's no authentication on this endpoint, so anyone with network access can read (and write via POST) the full config.This was also reported in #620 — it looks like a number of deployments have already been affected.
As a first step, I think masking the sensitive values in the GET response would help. I've got a fix that replaces API key values with masked versions (e.g.,
***abcd) so the frontend can still show that a key is configured without exposing the actual value.A more complete fix would add authentication to these endpoints, but that's a bigger change — happy to discuss.