From 5686ae5468581ff9a9e77b6cc6a5eaa28a7fef68 Mon Sep 17 00:00:00 2001 From: "alexei.dolgolyov" Date: Thu, 4 Jun 2026 20:46:13 +0300 Subject: [PATCH] fix(security): remove active weak default API key from shipped config default_config.yaml shipped api_keys.dev: "development-key-change-in-production" uncommitted/active, while the surrounding comment claimed it had been removed. On a non-loopback bind this is a publicly-known credential granting full LAN access. Restore the documented secure default (empty api_keys -> loopback-only anonymous, LAN rejected) and leave a commented example instead. --- server/config/default_config.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/server/config/default_config.yaml b/server/config/default_config.yaml index daa46fc..e7e6a46 100644 --- a/server/config/default_config.yaml +++ b/server/config/default_config.yaml @@ -15,11 +15,11 @@ auth: # - LAN requests are REJECTED with 401 (security default) # To enable LAN access, uncomment the example below and replace the value # with a secret you generated yourself (e.g. `openssl rand -hex 32`). - # The previous default `dev: "development-key-change-in-production"` has - # been removed — it shipped as a publicly-known token and any deployment - # that still uses it grants full LAN access to anyone on the network. - api_keys: - dev: "development-key-change-in-production" + # Do NOT ship a hard-coded key here — a publicly-known token grants full + # LAN access to anyone on the network. + api_keys: {} + # api_keys: + # my-client: "replace-with-output-of-openssl-rand-hex-32" # Storage paths default to ./data relative to the server's working directory. # Set LEDGRAB_DATA_DIR in the environment to point at a different data root