Skip to content

HIGH: Add API authentication, request size limits, and CORS #53

Open
Open
HIGH: Add API authentication, request size limits, and CORS#53
Labels
securitySecurity vulnerabilities and audit findings
@AlexMikhalev

Description

@AlexMikhalev
AlexMikhalev
opened on Feb 24, 2026

Security Findings - HIGH

Source: Security audit (2026-02-24)

No Authentication (Finding 4)

All API routes (/extract, /treatments, /recommend, /validate-pgx, /ws/recommend) are exposed without any authentication middleware.

No Request Size Limits (Finding 5)

No body size limits configured. Clients can send multi-GB JSON payloads causing OOM.

No CORS / Rate Limiting

Missing CorsLayer, RateLimitLayer.

Remediation

  1. Add API key or JWT middleware to clinical endpoints
  2. Add axum::extract::DefaultBodyLimit::max(1_048_576) (1MB)
  3. Add tower::limit::RateLimitLayer
  4. Add tower_http::cors::CorsLayer
  5. Configure WebSocket message size limits and connection caps

Locations

  • crates/terraphim-api/src/routes/mod.rs
  • crates/terraphim-api/src/lib.rs

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerabilities and audit findings

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions