Timmy_Foundation/hermes-agent
16
0
Fork 0
Code Issues 55 Pull Requests 3 Actions 41 Packages Projects Releases Wiki Activity

[SECURITY] Fix Auth Bypass & CORS Misconfiguration (V-008, V-009) #63

Merged
allegro merged 1 commits from security/fix-auth-bypass into main 2026-03-30 23:55:05 +00:00
Conversation 0 Commits 1 Files Changed 1 +49 -8

1 Commits

Author SHA1 Message Date
Allegro
cfcffd38ab security: fix auth bypass and CORS misconfiguration (V-008, V-009)
Some checks failed
Supply Chain Audit / Scan PR for supply chain risks (pull_request) Successful in 27s
Details
Tests / test (pull_request) Failing after 24s
Details
Docker Build and Publish / build-and-push (pull_request) Failing after 35s
Details 
API Server security hardening:

V-009 (CVSS 8.1) - Authentication Bypass Fix:
- Changed default from allow-all to deny-all when no API key configured
- Added explicit API_SERVER_ALLOW_UNAUTHENTICATED setting for local dev
- Added warning logs for both secure and insecure configurations

V-008 (CVSS 8.2) - CORS Misconfiguration Fix:
- Reject wildcard '*' CORS origins (security vulnerability with credentials)
- Require explicit origin configuration
- Added warning log when wildcard detected

Changes:
- gateway/platforms/api_server.py: Hardened auth and CORS handling

Refs: V-008, V-009 in SECURITY_AUDIT_REPORT.md
CWE-287: Improper Authentication
CWE-942: Permissive Cross-domain Policy
 2026-03-30 23:54:58 +00:00