Elie Habib
a9224254a5
fix: security hardening — CORS, auth bypass, origin validation & bump v2.2.7
...
- Tighten CORS regex to block worldmonitorEVIL.vercel.app spoofing
- Move sidecar /api/local-env-update behind token auth + add key allowlist
- Add postMessage origin/source validation in LiveNewsPanel
- Replace postMessage wildcard '*' targetOrigin with specific origin
- Add isDisallowedOrigin() check to 25 API endpoints missing it
- Migrate gdelt-geo & EIA from custom CORS to shared _cors.js
- Add CORS to firms-fires, stock-index, youtube/live endpoints
- Tighten youtube/embed.js ALLOWED_ORIGINS regex
- Remove 'unsafe-inline' from CSP script-src
- Add iframe sandbox attribute to YouTube embed
- Validate meta-tags URL query params with regex allowlist
2026-02-15 20:33:20 +04:00
Elie Habib
ac935d505e
fix: migrate all Vercel edge functions to CORS allowlist & bump v2.2.5
...
Replace Access-Control-Allow-Origin: * with shared getCorsHeaders()
across 20 API edge functions to restrict access to worldmonitor.app,
tech.worldmonitor.app, and authorized Vercel preview URLs.
Version bump to 2.2.5 across package.json, tauri.conf.json, Cargo.toml.
2026-02-15 19:13:54 +04:00
Elie Habib
c353cf2070
Reduce egress costs, add PWA support, fix Polymarket and Railway relay
...
Egress optimization:
- Add s-maxage + stale-while-revalidate to all API endpoints for Vercel CDN caching
- Add vercel.json with immutable caching for hashed assets
- Add gzip compression to sidecar responses >1KB
- Add gzip to Railway RSS responses (4 paths previously uncompressed)
- Increase polling intervals: markets/crypto 60s→120s, ETF/macro/stablecoins 60s→180s
- Remove hardcoded Railway URL from theater-posture.js (now env-var only)
PWA / Service Worker:
- Add vite-plugin-pwa with autoUpdate strategy
- Cache map tiles (CacheFirst), fonts (StaleWhileRevalidate), static assets
- NetworkOnly for all /api/* routes (real-time data must be fresh)
- Manual SW registration (web only, skip Tauri)
- Add offline fallback page
- Replace manual manifest with plugin-generated manifest
Polymarket fix:
- Route dev proxy through production Vercel (bypasses JA3 blocking)
- Add 4th fallback tier: production URL as absolute fallback
Desktop/Sidecar:
- Dual-backend cache (_upstash-cache.js): Redis cloud + in-memory+file desktop
- Settings window OK/Cancel redesign
- Runtime config and secret injection improvements
2026-02-14 19:53:04 +04:00
Elie Habib
f7119b9ed6
Harden CORS, XSS, and input validation across all API endpoints and components
...
- Add CORS origin allowlist (api/_cors.js) replacing Access-Control-Allow-Origin: *
- Add isDisallowedOrigin guard to all API endpoints (acled, cloudflare-outages, finnhub, fred-data, hackernews, wingbits)
- Gut debug-env endpoint to return 404
- Tighten sanitizeUrl() with escapeAttr output and strict relative URL validation
- Add sanitizeUrl() adoption in CountryIntelModal, InsightsPanel, PredictionPanel, RegulationPanel, TechEventsPanel
- Comprehensive escapeHtml() hardening in MapPopup (cables, flights, vessels, clusters)
- Bound HackerNews concurrent fetches (MAX_CONCURRENCY=10), validate story type and limit params
- Add wingbits cache eviction (MAX_LOCAL_CACHE_ENTRIES=2000, sweep on TTL + LRU)
- Fix arxiv http→https, og-story parseInt safety with Number.isFinite + clamping
2026-02-11 14:35:07 +04:00
Elie Habib
5d037c4132
Add tech variant with expanded global tech ecosystem data
...
- Add variant system (full/tech) with VITE_VARIANT env var
- Create tech-geo.ts with 465 entries:
- 295 TECH_HQS (FAANG, unicorns across US, Europe, MENA, India, SEA, China, LATAM, Africa)
- 112 ACCELERATORS (YC, Techstars, 500 Global, regional accelerators)
- 38 STARTUP_HUBS (mega/major/emerging tiers)
- 20 CLOUD_REGIONS (AWS, GCP, Azure, Cloudflare)
- Add map layers: startupHubs, cloudRegions, accelerators, techHQs
- Add tech-specific RSS feeds and panels
- Fix YouTube channel fallback IDs (Yahoo Finance, NASA TV, TBPN)
- MENA expansion: 50+ companies (UAE, Saudi, Egypt, Jordan)
- India: 40+ unicorns (Flipkart, PhonePe, Razorpay, etc)
- SEA: 25+ companies (Grab, GoTo, J&T Express, etc)
- LATAM: 35+ companies (Nubank, MercadoLibre, Bitso, etc)
2026-01-22 23:18:32 +04:00
