worldmonitor

eliott/worldmonitor

Fork 0

mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-26 09:35:02 +02:00

Commit Graph

Author	SHA1	Message	Date
Elie Habib	f7119b9ed6	Harden CORS, XSS, and input validation across all API endpoints and components - Add CORS origin allowlist (api/_cors.js) replacing Access-Control-Allow-Origin: * - Add isDisallowedOrigin guard to all API endpoints (acled, cloudflare-outages, finnhub, fred-data, hackernews, wingbits) - Gut debug-env endpoint to return 404 - Tighten sanitizeUrl() with escapeAttr output and strict relative URL validation - Add sanitizeUrl() adoption in CountryIntelModal, InsightsPanel, PredictionPanel, RegulationPanel, TechEventsPanel - Comprehensive escapeHtml() hardening in MapPopup (cables, flights, vessels, clusters) - Bound HackerNews concurrent fetches (MAX_CONCURRENCY=10), validate story type and limit params - Add wingbits cache eviction (MAX_LOCAL_CACHE_ENTRIES=2000, sweep on TTL + LRU) - Fix arxiv http→https, og-story parseInt safety with Number.isFinite + clamping	2026-02-11 14:35:07 +04:00
Elie Habib	3f3bbd3e3d	Add Wingbits as fallback flight data source when OpenSky fails - Add /flights and /flights/batch endpoints to wingbits proxy - Add fetchMilitaryFlightsFromWingbits() to theater-posture API - Try OpenSky first, fallback to Wingbits on 429/failure - Transform Wingbits data to match existing flight format - Add 'source' field to response ('opensky' or 'wingbits')	2026-01-27 07:22:51 +04:00
Elie Habib	28240d4c94	Fix wingbits API routing for subpaths (/health, /details)	2026-01-25 11:08:50 +04:00

Author

SHA1

Message

Date

Elie Habib

f7119b9ed6

Harden CORS, XSS, and input validation across all API endpoints and components

- Add CORS origin allowlist (api/_cors.js) replacing Access-Control-Allow-Origin: *
- Add isDisallowedOrigin guard to all API endpoints (acled, cloudflare-outages, finnhub, fred-data, hackernews, wingbits)
- Gut debug-env endpoint to return 404
- Tighten sanitizeUrl() with escapeAttr output and strict relative URL validation
- Add sanitizeUrl() adoption in CountryIntelModal, InsightsPanel, PredictionPanel, RegulationPanel, TechEventsPanel
- Comprehensive escapeHtml() hardening in MapPopup (cables, flights, vessels, clusters)
- Bound HackerNews concurrent fetches (MAX_CONCURRENCY=10), validate story type and limit params
- Add wingbits cache eviction (MAX_LOCAL_CACHE_ENTRIES=2000, sweep on TTL + LRU)
- Fix arxiv http→https, og-story parseInt safety with Number.isFinite + clamping

2026-02-11 14:35:07 +04:00

Elie Habib

3f3bbd3e3d

Add Wingbits as fallback flight data source when OpenSky fails

- Add /flights and /flights/batch endpoints to wingbits proxy
- Add fetchMilitaryFlightsFromWingbits() to theater-posture API
- Try OpenSky first, fallback to Wingbits on 429/failure
- Transform Wingbits data to match existing flight format
- Add 'source' field to response ('opensky' or 'wingbits')

2026-01-27 07:22:51 +04:00

Elie Habib

28240d4c94

Fix wingbits API routing for subpaths (/health, /details)

2026-01-25 11:08:50 +04:00

3 Commits