Malin
bd5a67b57f
server.js: - Remove maskIP() — store full IPs as submitted (sanitizeIP trims/truncates only) - Add requireToken() middleware with constant-time comparison (timingSafeEqual) using 128-byte padded buffers to prevent length-based timing leaks - API_TOKEN env var — if unset the endpoint stays open (dev mode); set it in prod - /api/v1/submit now requires Authorization: Bearer <token> docker-compose.yml / .env.example: - Expose API_TOKEN env var with clear comment index.html: - Add red-bordered 'MOST ATTACKED FORM (30D)' banner between stats and content grid showing form name, hit count, and % of all 30d blocks - Widen live feed IP column 90px → 130px to fit full IPv4 addresses - Remove 'ALL DATA IS ANONYMISED' from footer (IPs are full now) honeypot-fields.php: - SmartHoneypotAPIClient: add api_token to defaults + send Authorization header - save_api_settings: persist api_token field - Settings tab: add password input for API token with description
7 lines
239 B
Plaintext
7 lines
239 B
Plaintext
PORT=3000
|
|
DB_PATH=/data/honeypot.db
|
|
NODE_ENV=production
|
|
# Set a strong random token — all WP sites must send this as: Authorization: Bearer <token>
|
|
# Leave empty to run in open mode (dev only)
|
|
API_TOKEN=change-me-to-a-long-random-string
|