eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-26 01:24:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
3,343 Commits 139 Branches 48 Tags
9b94bbc625fdf4e158519903e1c9d6b9de10def3
Commit Graph

6 Commits

Author SHA1 Message Date
Elie Habib
a9224254a5 fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7 
- Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing
- Move sidecar /api/local-env-update behind token auth + add key allowlist
- Add postMessage origin/source validation in LiveNewsPanel
- Replace postMessage wildcard '*' targetOrigin with specific origin
- Add isDisallowedOrigin() check to 25 API endpoints missing it
- Migrate gdelt-geo & EIA from custom CORS to shared _cors.js
- Add CORS to firms-fires, stock-index, youtube/live endpoints
- Tighten youtube/embed.js ALLOWED_ORIGINS regex
- Remove 'unsafe-inline' from CSP script-src
- Add iframe sandbox attribute to YouTube embed
- Validate meta-tags URL query params with regex allowlist
 2026-02-15 20:33:20 +04:00
Elie Habib
c353cf2070 Reduce egress costs, add PWA support, fix Polymarket and Railway relay 
Egress optimization:
- Add s-maxage + stale-while-revalidate to all API endpoints for Vercel CDN caching
- Add vercel.json with immutable caching for hashed assets
- Add gzip compression to sidecar responses >1KB
- Add gzip to Railway RSS responses (4 paths previously uncompressed)
- Increase polling intervals: markets/crypto 60s→120s, ETF/macro/stablecoins 60s→180s
- Remove hardcoded Railway URL from theater-posture.js (now env-var only)

PWA / Service Worker:
- Add vite-plugin-pwa with autoUpdate strategy
- Cache map tiles (CacheFirst), fonts (StaleWhileRevalidate), static assets
- NetworkOnly for all /api/* routes (real-time data must be fresh)
- Manual SW registration (web only, skip Tauri)
- Add offline fallback page
- Replace manual manifest with plugin-generated manifest

Polymarket fix:
- Route dev proxy through production Vercel (bypasses JA3 blocking)
- Add 4th fallback tier: production URL as absolute fallback

Desktop/Sidecar:
- Dual-backend cache (_upstash-cache.js): Redis cloud + in-memory+file desktop
- Settings window OK/Cancel redesign
- Runtime config and secret injection improvements
 2026-02-14 19:53:04 +04:00
Elie Habib
f56d44f2f2 Use wildcard CORS for *.worldmonitor.app subdomains 2026-01-23 08:30:15 +04:00
Elie Habib
81c538255d Add tech.worldmonitor.app to API CORS allowlists 2026-01-23 08:29:33 +04:00
Elie Habib
7ecb1b1597 Security hardening for EIA and USASpending features 
Fixes identified by red-team audit:

EIA API Proxy:
- Restrict CORS to allowed origins only (HIGH)
- Add HTTP method validation - GET/OPTIONS only (MEDIUM)
- Remove error message information leakage (HIGH)

USASpending Service:
- Add input validation bounds for daysBack (1-90) and limit (1-50)

EconomicPanel:
- Escape all dynamic values in templates (XSS prevention)
- Escape numeric values, trend colors, icons, dates
 2026-01-16 16:18:41 +04:00
Elie Habib
5bbe126484 Fix EIA API routing with Vercel catch-all route 2026-01-16 15:41:48 +04:00