SecShield Security Report

2026-02-24 08:22 UTC
F
0/100
Security Score
CRITICAL: 2 HIGH: 68 MEDIUM: 38 LOW: 130

Network Security

WAF Detection
home.xamad.net: WAF None
secshield.xamad.net: WAF None
SSL/TLS
home.xamad.net: SSL OK (TLSv1.3, cert expires in 88d)
secshield.xamad.net: SSL OK (TLSv1.3, cert expires in 89d)
Port Exposure: 12 exposed | 10 localhost-only

Findings (238)

#1: UFW firewall is INACTIVE (iptables/nftables may be configured directly) HIGH
Source: OS/Firewall
#2: fail2ban is INACTIVE — no brute-force protection HIGH
Source: OS/Firewall
#3: Password authentication is enabled (prefer key-only) MEDIUM
Source: SSH
#4: X11 forwarding is enabled MEDIUM
Source: SSH
#5: TCP forwarding is enabled MEDIUM
Source: SSH
#6: MaxAuthTries is 6 (recommend <= 4) MEDIUM
Source: SSH
#7: ClientAliveInterval is 0 (no idle timeout) MEDIUM
Source: SSH
#8: 30 non-standard SUID/SGID binaries MEDIUM
Source: Permissions
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chsh
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chfn
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/mount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/umount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/expiry
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chage
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/newgrp
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/su
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/gpasswd
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/passwd
#9: PASS_MAX_DAYS is 99999 (recommend <= 90) MEDIUM
Source: Password Policy
#10: PASS_MIN_DAYS is 0 — no minimum password age MEDIUM
Source: Password Policy
#11: PASS_MIN_LEN is 5 (recommend >= 8) MEDIUM
Source: Password Policy
#12: No account lockout policy (pam_faillock/pam_tally2 not configured) MEDIUM
Source: Password Policy
#13: pam_pwquality not configured — no password complexity enforcement MEDIUM
Source: Password Policy
#14: net.ipv4.ip_forward=1 (IP forwarding enabled — router mode) LOW
Source: Kernel
#15: net.ipv4.conf.all.send_redirects=1 (ICMP redirect sending enabled) LOW
Source: Kernel
#16: net.ipv4.conf.all.log_martians=0 (Martian packet logging disabled) LOW
Source: Kernel
#17: fs.suid_dumpable=2 (SUID core dumps enabled) LOW
Source: Kernel
#18: DMARC policy is 'none' — not enforcing LOW
Source: DNS (home.xamad.net)
#19: DNSSEC not enabled LOW
Source: DNS (home.xamad.net)
#20: DMARC policy is 'none' — not enforcing LOW
Source: DNS (secshield.xamad.net)
#21: DNSSEC not enabled LOW
Source: DNS (secshield.xamad.net)
#22: darkskyscout API (port 3030) bound to 0.0.0.0 — should be 127.0.0.1 HIGH
Source: Network
Service '' is listening on all interfaces but config expects localhost only
#23: Unexpected exposed port 8883 (mosquitto) MEDIUM
Source: Network
Port 8883 is listening on 0.0.0.0 but not in expected_ports config
#24: Unexpected exposed port 5055 (python3) MEDIUM
Source: Network
Port 5055 is listening on 0.0.0.0 but not in expected_ports config
#25: Unexpected exposed port 9001 (mosquitto) MEDIUM
Source: Network
Port 9001 is listening on 0.0.0.0 but not in expected_ports config
#26: Unexpected exposed port 8003 (python) MEDIUM
Source: Network
Port 8003 is listening on 0.0.0.0 but not in expected_ports config
#27: Unexpected exposed port 8000 (python) MEDIUM
Source: Network
Port 8000 is listening on 0.0.0.0 but not in expected_ports config
#28: Unexpected exposed port 3050 (node) MEDIUM
Source: Network
Port 3050 is listening on * but not in expected_ports config
#29: Unexpected exposed port 8065 () MEDIUM
Source: Network
Port 8065 is listening on * but not in expected_ports config
#30: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection LOW
Source: Headers (home.xamad.net)
#31: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection LOW
Source: Headers (secshield.xamad.net)
#32: [CVE-2026-25896] fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling CRITICAL
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.5
#33: Hardcoded API key HIGH
Source: Code ([...path].js)
File: /opt/darkskyscout/vercel-satellite-proxy/api/n2yo/[...path].js
Line 45: if (!apiKey || apiKey === 'your_n2yo_api_key_here') {
#34: Hardcoded API key HIGH
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 51: if (!OPENWEATHER_API_KEY || OPENWEATHER_API_KEY === 'demo_key') {
#35: Hardcoded API key HIGH
Source: Code (admin-sources-api.js)
File: /opt/darkskyscout/packages/api/src/routes/admin-sources-api.js
Line 95: if (requires_api_key !== undefined) filters.requires_api_key = requires_api_key === 'true';
#36: Hardcoded API key HIGH
Source: Code (webhooks.js)
File: /opt/darkskyscout/packages/api/src/routes/webhooks.js
Line 238: const apiKey = req.get('X-API-Key');
#37: Hardcoded API key HIGH
Source: Code (security.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/security.middleware.js
Line 258: const apiKey = req.headers['x-api-key'];
#38: Hardcoded API key HIGH
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.js
Line 340: const apiKey = req.headers['x-api-key'];
#39: Hardcoded password HIGH
Source: Code (validation.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/validation.middleware.js
Line 41: const passwordValidation = body('password')
#40: Hardcoded password HIGH
Source: Code (seed.dev.js)
File: /opt/darkskyscout/packages/api/src/prisma/seed.dev.js
Line 31: const hashedPassword = await bcrypt.hash('password123', 10);
#41: Hardcoded API key HIGH
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 90: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
#42: Hardcoded API key HIGH
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 405: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
#43: Hardcoded API key HIGH
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 146: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
#44: Hardcoded API key HIGH
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 268: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
#45: Hardcoded API key HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 56: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
#46: Hardcoded API key HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 132: if (this.n2yoApiKey && this.n2yoApiKey !== 'demo_key') {
#47: Hardcoded API key HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 196: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
#48: Hardcoded API key HIGH
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 735: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
#49: Hardcoded API key HIGH
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 78: diagnosis.mapsApiKey.error = 'Billing not enabled';
#50: Hardcoded password HIGH
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 8: const { validatePassword, validateEmail } = require('../utils/validation');
#51: child_process — command injection risk HIGH
Source: Code (satelliteClaudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/satelliteClaudeSearch.service.js
Line 1: const { spawn } = require('child_process');
#52: child_process — command injection risk HIGH
Source: Code (claudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/claudeSearch.service.js
Line 1: const { exec } = require('child_process');
#53: child_process — command injection risk HIGH
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 4: const { exec } = require('child_process');
#54: Hardcoded API key HIGH
Source: Code (n2yoClient.service.js)
File: /opt/darkskyscout/packages/web/src/services/n2yoClient.service.js
Line 26: return !!this.apiKey && this.apiKey !== 'your_n2yo_api_key_here';
#55: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 87: newErrors.password = 'Password is required';
#56: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 89: newErrors.password = 'Password must be at least 8 characters';
#57: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 91: newErrors.password = 'Password must contain uppercase, lowercase and number';
#58: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 95: newErrors.confirmPassword = 'Please confirm your password';
#59: Hardcoded password HIGH
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 97: newErrors.confirmPassword = 'Passwords do not match';
#60: Hardcoded password HIGH
Source: Code (LoginPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/LoginPage.jsx
Line 82: newErrors.password = 'Password is required';
#61: innerHTML assignment — XSS risk HIGH
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
#62: React dangerouslySetInnerHTML — XSS risk HIGH
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
#63: innerHTML assignment — XSS risk HIGH
Source: Code (MatchSuggestions.jsx)
File: /opt/darkskyscout/packages/web/src/components/common/MatchSuggestions.jsx
Line 96: e.target.parentElement.innerHTML = `<span class="text-lg font-bold">${suggestion.user.name[0]}</span>`;
#64: innerHTML assignment — XSS risk HIGH
Source: Code (InstantLightPollutionOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/InstantLightPollutionOverlay.jsx
Line 478: tooltip.innerHTML = `
#65: innerHTML assignment — XSS risk HIGH
Source: Code (CustomLocationMarkers.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/CustomLocationMarkers.jsx
Line 54: el.innerHTML = `
#66: innerHTML assignment — XSS risk HIGH
Source: Code (SimpleBortleOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/SimpleBortleOverlay.jsx
Line 67: svgElement.innerHTML = '';
#67: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 446: el.innerHTML = `
#68: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 534: el.innerHTML = `
#69: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 616: el.innerHTML = `
#70: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1275: loadingIndicator.innerHTML = `
#71: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1421: clickableIndicator.innerHTML = `
#72: innerHTML assignment — XSS risk HIGH
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1619: errorIndicator.innerHTML = `
#73: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
#74: [CVE-2026-26278] fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.6
#75: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
#76: [CVE-2025-47935] Multer vulnerable to Denial of Service via memory leaks from unclosed streams HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
#77: [CVE-2025-47944] Multer vulnerable to Denial of Service from maliciously crafted requests HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
#78: [CVE-2025-48997] multer: Multer vulnerable to Denial of Service via unhandled exception HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.1
#79: [CVE-2025-7338] multer: Multer Denial of Service HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.2
#80: [CVE-2026-23745] node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.3
#81: [CVE-2026-23950] node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.4
#82: [CVE-2026-24842] node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.7
#83: [CVE-2026-26960] tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.8
#84: [CVE-2024-12905] tar-fs: link following and path traversal via maliciously crafted tar file HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.4, 2.1.2, 3.0.7
#85: [CVE-2025-48387] tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.5, 2.1.3, 3.0.9
#86: [CVE-2025-59343] tar-fs: tar-fs symlink validation bypass HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 3.1.1, 2.1.4, 1.16.6
#87: [CVE-2024-37890] nodejs-ws: denial of service when handling a request with many HTTP headers HIGH
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: ws 8.16.0 → 5.2.4, 6.2.3, 7.5.10, 8.17.1
#88: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
#89: [CVE-2026-1615] jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: jsonpath 1.2.1 → no fix
#90: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
#91: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 5.1.6 → 10.2.1
#92: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 9.0.5 → 10.2.1
#93: [CVE-2021-3803] nodejs-nth-check: inefficient regular expression complexity HIGH
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: nth-check 1.0.2 → 2.0.1
#94: MD5 hash usage MEDIUM
Source: Code (analytics.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/analytics.middleware.js
Line 86: return crypto.createHash('md5').update(components.join('|')).digest('hex');
#95: MD5 hash usage MEDIUM
Source: Code (feature-flags.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/feature-flags.middleware.js
Line 294: const hash = crypto.createHash('md5').update(hashInput).digest('hex');
#96: MD5 hash usage MEDIUM
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 110: return crypto.createHash('md5').update(fingerprint).digest('hex');
#97: MD5 hash usage MEDIUM
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 56: const hash = crypto.createHash('md5').update(fullKey).digest('hex');
#98: MD5 hash usage MEDIUM
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 316: const paramsHash = crypto.createHash('md5').update(paramsString).digest('hex');
#99: MD5 hash usage MEDIUM
Source: Code (compression.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/compression.middleware.js
Line 353: const hash = crypto.createHash('md5').update(chunk).digest('hex');
#100: MD5 hash usage MEDIUM
Source: Code (userLocationInteractions.service.js)
File: /opt/darkskyscout/packages/api/src/services/userLocationInteractions.service.js
Line 22: return crypto.createHash('md5').update(`${name}_${location.id || Date.now()}`).digest('hex');
#101: [CVE-2025-69873] ajv: ReDoS via $data reference MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 6.12.6 → 8.18.0, 6.14.0
#102: [CVE-2025-69873] ajv: ReDoS via $data reference MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 8.17.1 → 8.18.0, 6.14.0
#103: [CVE-2023-44270] PostCSS: Improper input validation in PostCSS MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: postcss 7.0.39 → 8.4.31
#104: [CVE-2025-30359] webpack-dev-server: webpack-dev-server information exposure MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
#105: [CVE-2025-30360] webpack-dev-server: webpack-dev-server information exposure MEDIUM
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
#106: Secret: Mapbox API token MEDIUM
Source: Code (fix_all_localhost.sh)
File: fix_all_localhost.sh
Line 35: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
#107: Secret: Mapbox API token MEDIUM
Source: Code (fix_browser_cache_delirium.sh)
File: fix_browser_cache_delirium.sh
Line 64: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
#108: Hardcoded fallback for env variable LOW
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2894: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
#109: Hardcoded fallback for env variable LOW
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2929: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
#110: Hardcoded fallback for env variable LOW
Source: Code (server.js)
File: /opt/darkskyscout/packages/api/src/server.js
Line 9: const HOST = process.env.HOST || '0.0.0.0';
#111: Hardcoded fallback for env variable LOW
Source: Code (debug-sky-tracking.js)
File: /opt/darkskyscout/packages/api/src/debug-sky-tracking.js
Line 13: console.log('   OPENSKY_CLIENT_ID:', process.env.OPENSKY_CLIENT_ID || 'NOT SET');
#112: Hardcoded fallback for env variable LOW
Source: Code (socket.js)
File: /opt/darkskyscout/packages/api/src/socket.js
Line 17: origin: process.env.FRONTEND_URL || "https://darkskyscout.xamad.net",
#113: Hardcoded fallback for env variable LOW
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 450: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
#114: Hardcoded fallback for env variable LOW
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 505: const baseUrl = returnUrl || process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#115: Hardcoded fallback for env variable LOW
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 580: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#116: Hardcoded fallback for env variable LOW
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 108: host: process.env.REDIS_HOST || 'localhost',
#117: Hardcoded fallback for env variable LOW
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 651: limit: process.env.MAX_REQUEST_SIZE || '10mb',
#118: Hardcoded fallback for env variable LOW
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 659: limit: process.env.MAX_REQUEST_SIZE || '10mb'
#119: Hardcoded fallback for env variable LOW
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 51: process.env.JWT_SECRET || 'dev-secret',
#120: Hardcoded fallback for env variable LOW
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 112: process.env.JWT_SECRET || 'dev-secret',
#121: Hardcoded fallback for env variable LOW
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 141: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'dev-secret');
#122: Hardcoded fallback for env variable LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 86: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
#123: Hardcoded fallback for env variable LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 92: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
#124: Hardcoded fallback for env variable LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 341: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
#125: Hardcoded fallback for env variable LOW
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 523: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
#126: Hardcoded fallback for env variable LOW
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 19: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
#127: Hardcoded fallback for env variable LOW
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 222: const baseUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#128: Hardcoded fallback for env variable LOW
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 274: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
#129: Hardcoded fallback for env variable LOW
Source: Code (communitySharing.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/communitySharing.routes.js
Line 102: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'fallback-secret');
#130: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 18: callbackURL: process.env.GOOGLE_CALLBACK_URL || '/api/auth/google/callback'
#131: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 80: callbackURL: process.env.FACEBOOK_CALLBACK_URL || '/api/auth/facebook/callback',
#132: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 137: callbackURL: process.env.GITHUB_CALLBACK_URL || '/api/auth/github/callback'
#133: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 229: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
#134: Hardcoded fallback for env variable LOW
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 235: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
#135: Hardcoded fallback for env variable LOW
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 164: googleRedirectUri: process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback',
#136: Hardcoded fallback for env variable LOW
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 165: frontendUrl: process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net',
#137: Hardcoded fallback for env variable LOW
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 32: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
#138: Hardcoded fallback for env variable LOW
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 38: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
#139: Hardcoded fallback for env variable LOW
Source: Code (analytics.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/analytics.worker.js
Line 890: const filepath = path.join(process.env.EXPORT_DIR || '/tmp', filename);
#140: Hardcoded fallback for env variable LOW
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 263: host: process.env.REDIS_HOST || 'localhost',
#141: Hardcoded fallback for env variable LOW
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 417: timezone: process.env.TZ || 'UTC'
#142: Hardcoded fallback for env variable LOW
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 785: version: process.env.npm_package_version || 'unknown',
#143: Hardcoded fallback for env variable LOW
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 240: host: process.env.REDIS_HOST || 'localhost',
#144: Hardcoded fallback for env variable LOW
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 248: host: process.env.REDIS_HOST || 'localhost',
#145: Hardcoded fallback for env variable LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 426: const tempDir = process.env.TEMP_DIR || '/tmp';
#146: Hardcoded fallback for env variable LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 432: const uploadsDir = process.env.UPLOADS_DIR || '/uploads';
#147: Hardcoded fallback for env variable LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 438: const logsDir = process.env.LOGS_DIR || '/logs';
#148: Hardcoded fallback for env variable LOW
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 743: const tempDir = process.env.TEMP_DIR || '/tmp';
#149: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 33: host: process.env.REDIS_HOST || 'localhost',
#150: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 51: host: process.env.REDIS_HOST || 'localhost',
#151: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 69: host: process.env.REDIS_HOST || 'localhost',
#152: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 87: host: process.env.REDIS_HOST || 'localhost',
#153: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 105: host: process.env.REDIS_HOST || 'localhost',
#154: Hardcoded fallback for env variable LOW
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 119: host: process.env.REDIS_HOST || 'localhost',
#155: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 241: url: process.env.REDIS_URL || 'redis://localhost:6379',
#156: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 348: version: process.env.APP_VERSION || '1.0.0',
#157: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 349: environment: process.env.NODE_ENV || 'development'
#158: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 364: version: process.env.APP_VERSION || '1.0.0',
#159: Hardcoded fallback for env variable LOW
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 365: environment: process.env.NODE_ENV || 'development',
#160: Hardcoded fallback for env variable LOW
Source: Code (error.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/error.middleware.js
Line 210: maxSize: process.env.MAX_FILE_SIZE || '50MB'
#161: Hardcoded fallback for env variable LOW
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 12: region: process.env.AWS_REGION || 'eu-west-1',
#162: Hardcoded fallback for env variable LOW
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 19: const bucket = process.env.AWS_S3_BUCKET || 'skyscout-uploads';
#163: Hardcoded fallback for env variable LOW
Source: Code (auth.middleware.simple.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.middleware.simple.js
Line 12: const secret = process.env.JWT_SECRET || 'dev-jwt-secret-key-for-testing-only-change-in-production';
#164: Hardcoded fallback for env variable LOW
Source: Code (logging.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/logging.middleware.js
Line 182: const environment = process.env.NODE_ENV || 'development';
#165: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 20: ios: process.env.IOS_CURRENT_VERSION || '1.0.0',
#166: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 21: android: process.env.ANDROID_CURRENT_VERSION || '1.0.0'
#167: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 24: ios: process.env.IOS_FORCE_UPDATE_VERSION || '0.9.0',
#168: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 25: android: process.env.ANDROID_FORCE_UPDATE_VERSION || '0.9.0'
#169: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 197: ios: process.env.IOS_DOWNLOAD_URL || 'https://apps.apple.com/app/skyscout',
#170: Hardcoded fallback for env variable LOW
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 198: android: process.env.ANDROID_DOWNLOAD_URL || 'https://play.google.com/store/apps/details?id=com.skyscout'
#171: Hardcoded fallback for env variable LOW
Source: Code (maintenance.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/maintenance.middleware.js
Line 263: contactSupport: process.env.SUPPORT_EMAIL || 'support@skyscout.app'
#172: Hardcoded fallback for env variable LOW
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 8: url: process.env.REDIS_URL || 'redis://localhost:6379',
#173: Hardcoded fallback for env variable LOW
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 27: timezoneAPI: process.env.TIMEZONE_API_URL || 'http://api.timezonedb.com/v2.1/get-time-zone',
#174: Hardcoded fallback for env variable LOW
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 31: elevationAPI: process.env.ELEVATION_API_URL || 'https://api.open-elevation.com/api/v1/lookup',
#175: Hardcoded fallback for env variable LOW
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 34: bortleAPI: process.env.BORTLE_API_URL || 'https://www.lightpollutionmap.info/QueryRaster/',
#176: Hardcoded fallback for env variable LOW
Source: Code (LocationService.js)
File: /opt/darkskyscout/packages/api/src/services/LocationService.js
Line 472: key: process.env.TIMEZONEDB_KEY || 'demo',
#177: Hardcoded fallback for env variable LOW
Source: Code (ai.grok.js)
File: /opt/darkskyscout/packages/api/src/services/ai.grok.js
Line 7: this.apiUrl = process.env.GROK_API_URL || 'https://api.x.ai/v1'; // Default Grok API URL
#178: Hardcoded fallback for env variable LOW
Source: Code (MediaService.js)
File: /opt/darkskyscout/packages/api/src/services/MediaService.js
Line 32: region: process.env.AWS_REGION || 'us-east-1'
#179: Hardcoded fallback for env variable LOW
Source: Code (skyInterference.proxy.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.proxy.service.js
Line 11: this.proxyBaseUrl = process.env.SATELLITE_PROXY_URL || 'https://your-app.vercel.app';
#180: Hardcoded fallback for env variable LOW
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 30: primary: process.env.AI_ENGINE_PRIMARY || 'claude-code',
#181: Hardcoded fallback for env variable LOW
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 31: fallbackChain: (process.env.AI_ENGINE_FALLBACK || 'claude-api,openai,deepseek').split(','),
#182: Hardcoded fallback for env variable LOW
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 10: this.redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
#183: Hardcoded fallback for env variable LOW
Source: Code (lightPollution.realtime.service.js)
File: /opt/darkskyscout/packages/api/src/services/lightPollution.realtime.service.js
Line 28: nasa: process.env.NASA_API_KEY || 'DEMO_KEY',
#184: Hardcoded fallback for env variable LOW
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 262: from: process.env.EMAIL_FROM || 'SkyScout <noreply@skyscout.app>',
#185: Hardcoded fallback for env variable LOW
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 297: from: process.env.EMAIL_FROM || 'SkyScout <noreply@skyscout.app>',
#186: Hardcoded fallback for env variable LOW
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 324: appUrl: process.env.APP_URL || 'https://app.skyscout.com'
#187: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 7: const MATRIX_SERVER = process.env.MATRIX_SERVER_URL || 'http://localhost:8008';
#188: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 8: const MATRIX_DOMAIN = process.env.MATRIX_DOMAIN || 'chat.darkskyscout.xamad.net';
#189: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 9: const REGISTRATION_SECRET = process.env.MATRIX_REGISTRATION_SECRET || '_hkFIRqh5;a^3t7aZ9*WMKPuLqsn8gS-cTwAbxYjYN0Iad_I1Q';
#190: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 57: const secret = process.env.JWT_SECRET || 'darkskyscout-matrix-secret';
#191: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 106: user: process.env.MATRIX_ADMIN_USER || 'darkskyadmin',
#192: Hardcoded fallback for env variable LOW
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 107: password: process.env.MATRIX_ADMIN_PASSWORD || 'DarkSky2024Admin!'
#193: Hardcoded fallback for env variable LOW
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 9: this.bucketName = process.env.AWS_S3_BUCKET || 'skyscout-media';
#194: Hardcoded fallback for env variable LOW
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 44: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
#195: Hardcoded fallback for env variable LOW
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 115: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
#196: Hardcoded fallback for env variable LOW
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 7: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3-0324';
#197: Hardcoded fallback for env variable LOW
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 8: this.baseUrl = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
#198: Hardcoded fallback for env variable LOW
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 16: this.jwtExpiration = process.env.JWT_EXPIRATION || '24h';
#199: Hardcoded fallback for env variable LOW
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 17: this.refreshTokenExpiration = process.env.REFRESH_TOKEN_EXPIRATION || '7d';
#200: Hardcoded fallback for env variable LOW
Source: Code (emailService.js)
File: /opt/darkskyscout/packages/api/src/services/emailService.js
Line 7: this.fromEmail = process.env.EMAIL_FROM || 'noreply@darkskyscout.xamad.net';
#201: Hardcoded fallback for env variable LOW
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 12: this.baseURL = process.env.CLAUDE_API_URL || 'https://api.anthropic.com/v1';
#202: Hardcoded fallback for env variable LOW
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 13: this.model = process.env.CLAUDE_API_MODEL || 'claude-3-5-sonnet-20241022';
#203: Hardcoded fallback for env variable LOW
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 14: this.version = process.env.CLAUDE_API_VERSION || '2023-06-01';
#204: Hardcoded fallback for env variable LOW
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
#205: Hardcoded fallback for env variable LOW
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3';
#206: Hardcoded fallback for env variable LOW
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 12: this.baseURL = process.env.OPENAI_API_URL || 'https://api.openai.com/v1';
#207: Hardcoded fallback for env variable LOW
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 13: this.model = process.env.OPENAI_MODEL || 'gpt-4';
#208: Hardcoded fallback for env variable LOW
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 14: this.claudePath = process.env.CLAUDE_CODE_PATH || '/home/deploy/.nvm/versions/node/v22.17.1/bin/claude';
#209: Hardcoded fallback for env variable LOW
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 16: this.defaultModel = process.env.CLAUDE_CODE_MODEL || 'sonnet'; // Use alias for latest Sonnet model
#210: Hardcoded fallback for env variable LOW
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_INFERENCE_URL || 'https://api-inference.huggingface.co/models';
#211: Hardcoded fallback for env variable LOW
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_DEFAULT_MODEL || 'microsoft/DialoGPT-large';
#212: Hardcoded fallback for env variable LOW
Source: Code (test-api-connection.js)
File: /opt/darkskyscout/packages/web/src/test-api-connection.js
Line 2: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net';
#213: Hardcoded fallback for env variable LOW
Source: Code (geocoding.service.js)
File: /opt/darkskyscout/packages/web/src/services/geocoding.service.js
Line 118: const API_BASE = process.env.REACT_APP_API_URL || '/api';
#214: Hardcoded fallback for env variable LOW
Source: Code (externalLocation.service.js)
File: /opt/darkskyscout/packages/web/src/services/externalLocation.service.js
Line 443: const API_BASE = process.env.REACT_APP_API_URL || '/api';
#215: Hardcoded fallback for env variable LOW
Source: Code (communitySharing.service.js)
File: /opt/darkskyscout/packages/web/src/services/communitySharing.service.js
Line 3: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#216: Hardcoded fallback for env variable LOW
Source: Code (AIEngineAdminPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AIEngineAdminPage.jsx
Line 8: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#217: Hardcoded fallback for env variable LOW
Source: Code (AccommodationDetailPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AccommodationDetailPage.jsx
Line 124: const apiUrl = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#218: Hardcoded fallback for env variable LOW
Source: Code (AIEngineManager.jsx)
File: /opt/darkskyscout/packages/web/src/components/admin/AIEngineManager.jsx
Line 6: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
#219: Hardcoded fallback for env variable LOW
Source: Code (MapboxMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapboxMap.jsx
Line 8: mapboxgl.accessToken = process.env.REACT_APP_MAPBOX_ACCESS_TOKEN || 'pk.eyJ1IjoiZGFya3NreXNjb3V0IiwiYSI6ImNsdmhkZnhrbzAyeDQycW9ma3J2aHUwaGMifQ.placeholder';
#220: Debug mode enabled MEDIUM
Source: Code (app.py)
File: /home/webhook/picobernacca/app.py
Line 202: app.run(host="127.0.0.1", port=config.PORT, debug=True)
#221: Inline event handler — potential XSS vector LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 5: <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
#222: Inline event handler — potential XSS vector LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 6: <meta name="theme-color" content="#0a0a28">
#223: Inline event handler — potential XSS vector LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 7: <meta name="apple-mobile-web-app-capable" content="yes">
#224: Inline event handler — potential XSS vector LOW
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 8: <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
#225: Active SSH brute-force attack with no fail2ban protection CRITICAL
Source: AI Analysis
Logs show an active brute-force attack from 222.121.250.156 cycling through root, admin, oracle, usuario, and test usernames with maximum authentication attempts exceeded. fail2ban is INACTIVE, meaning there is no automated IP banning. Combined with PasswordAuthentication=yes on SSH, this creates a high-probability credential compromise vector. MaxStartups throttling events confirm connection flooding is occurring.
Fix: sudo apt install fail2ban && sudo systemctl enable --now fail2ban Create /etc/fail2ban/jail.local: [sshd] enabled = true port = 22 filter = sshd maxretry = 3 bantime = 3600 findtime = 600 banaction = nftables-multiport
#226: SSH password authentication enabled alongside active brute-force HIGH
Source: AI Analysis
PasswordAuthentication is set to 'yes' in both config and runtime. With an active brute-force attack in progress and no fail2ban, this significantly increases the risk of unauthorized access. Key-based authentication is already configured (1 ed25519 key for root), so password auth can be safely disabled.
Fix: Edit /etc/ssh/sshd_config: PasswordAuthentication no Then: sudo systemctl reload sshd WARNING: Verify your SSH key access works before disconnecting.
#227: Multiple unidentified services exposed on all interfaces HIGH
Source: AI Analysis
12 services are bound to 0.0.0.0 or [::]. Several have no identified process name: port 3030 (unknown), port 8065 (unknown), port 3050 (node). Ports 8000 and 8003 run unidentified Python processes, and port 5055 runs python3. Without nftables rule visibility, it's unclear if these are filtered. Unnecessary exposure increases attack surface significantly.
Fix: 1. Identify all services: sudo ss -tlnp | grep -E '(3030|8065|3050|8000|8003|5055)' 2. Bind internal-only services to 127.0.0.1 3. If services must be public, ensure nftables rules restrict access: sudo nft list ruleset 4. For services behind nginx reverse proxy, bind to 127.0.0.1 and proxy through nginx
#228: MQTT broker (Mosquitto) exposed on ports 8883 and 9001 HIGH
Source: AI Analysis
Mosquitto MQTT broker is listening on 0.0.0.0:8883 (MQTT over TLS) and 0.0.0.0:9001 (likely WebSocket). MQTT brokers exposed to the internet are frequent targets for unauthorized subscription/publishing attacks. If authentication is not configured or uses weak credentials, attackers can intercept or inject messages into IoT communication channels.
Fix: 1. Verify Mosquitto requires authentication: grep -E 'allow_anonymous|password_file' /etc/mosquitto/mosquitto.conf 2. Ensure allow_anonymous is set to false 3. If only internal clients need access, bind to 127.0.0.1 4. Restrict access via nftables to known client IPs: sudo nft add rule inet filter input tcp dport {8883, 9001} ip saddr != {trusted_ip} drop
#229: No password complexity or account lockout policies configured HIGH
Source: AI Analysis
pam_pwquality is not configured (no password complexity enforcement) and pam_faillock is not configured (no account lockout after failed attempts). PASS_MAX_DAYS is 99999 (no password expiration), PASS_MIN_DAYS is 0. Combined with password authentication being enabled on SSH, weak passwords could be set and brute-forced indefinitely at the PAM level.
Fix: 1. Install and configure pam_pwquality: sudo apt install libpam-pwquality Edit /etc/security/pwquality.conf: minlen = 12 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 2. Configure pam_faillock in /etc/pam.d/common-auth: auth required pam_faillock.so preauth deny=5 unlock_time=900 auth required pam_faillock.so authfail deny=5 unlock_time=900 3. Edit /etc/login.defs: PASS_MAX_DAYS 90 PASS_MIN_DAYS 1
#230: SSH X11 forwarding and TCP forwarding enabled MEDIUM
Source: AI Analysis
X11Forwarding is set to 'yes' and AllowTcpForwarding is 'yes'. X11 forwarding can be exploited for X11 session hijacking if an attacker gains SSH access. TCP forwarding allows tunneling through the server, which could be used for lateral movement or as a proxy. On a server (not a workstation), neither is typically needed.
Fix: Edit /etc/ssh/sshd_config: X11Forwarding no AllowTcpForwarding no AllowAgentForwarding no Then: sudo systemctl reload sshd
#231: No SSH idle session timeout configured MEDIUM
Source: AI Analysis
ClientAliveInterval is 0 and UnusedConnectionTimeout is 'none'. Idle SSH sessions remain open indefinitely, increasing the risk of session hijacking if a workstation is left unattended. MaxAuthTries is 6 (recommended <= 4), giving attackers more password guesses per connection.
Fix: Edit /etc/ssh/sshd_config: ClientAliveInterval 300 ClientAliveCountMax 2 MaxAuthTries 4 Then: sudo systemctl reload sshd
#232: SUID core dumps enabled (fs.suid_dumpable=2) MEDIUM
Source: AI Analysis
fs.suid_dumpable is set to 2 (suidsafe), which allows core dumps of SUID processes to be written (readable only by root). Core dumps from privileged processes can leak sensitive data such as passwords, encryption keys, or memory contents of privileged applications.
Fix: sudo sysctl -w fs.suid_dumpable=0 echo 'fs.suid_dumpable = 0' | sudo tee /etc/sysctl.d/99-security.conf sudo sysctl -p /etc/sysctl.d/99-security.conf
#233: Root filesystem at 80% capacity MEDIUM
Source: AI Analysis
The root partition (/) is at 80% usage with 7.3G remaining of 38G. While not immediately critical, continued growth (especially from logs, Docker images, or database data) could cause service failures. Docker overlay filesystem shares the same partition. A full disk can cause PostgreSQL corruption, application crashes, and inability to write logs.
Fix: 1. Review disk usage: sudo du -sh /var/log /var/lib/docker /var/lib/postgresql /tmp 2. Clean Docker resources: sudo docker system prune -a 3. Review and rotate logs: sudo journalctl --vacuum-size=500M 4. Consider moving /var/lib/docker or /var/lib/postgresql to /mnt/HC_Volume_104305213 (28G available) 5. Set up monitoring/alerting at 85% threshold
#234: SSH minimum RSA key size set to 1024 bits MEDIUM
Source: AI Analysis
RequiredRSASize is set to 1024, which allows weak RSA keys. NIST deprecated 1024-bit RSA keys in 2013. While the configured host key is Ed25519 (strong), clients could authenticate with weak 1024-bit RSA keys.
Fix: Edit /etc/ssh/sshd_config: RequiredRSASize 3072 Then: sudo systemctl reload sshd
#235: ICMP redirect sending enabled and martian logging disabled LOW
Source: AI Analysis
net.ipv4.conf.all.send_redirects=1 allows the server to send ICMP redirect messages, which could be abused for MITM attacks on the local network. net.ipv4.conf.all.log_martians=0 means packets with impossible source addresses are not logged, reducing visibility into potential spoofing attacks.
Fix: sudo sysctl -w net.ipv4.conf.all.send_redirects=0 sudo sysctl -w net.ipv4.conf.default.send_redirects=0 sudo sysctl -w net.ipv4.conf.all.log_martians=1 Persist in /etc/sysctl.d/99-security.conf: net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.log_martians = 1
#236: SSH Debian banner and deprecated authorized_keys2 path enabled LOW
Source: AI Analysis
DebianBanner is 'yes', disclosing the OS distribution to attackers during SSH handshake. AuthorizedKeysFile includes '.ssh/authorized_keys2' which is a deprecated path and could be used to plant backdoor keys in a less obvious location. Both are information disclosure / attack surface issues.
Fix: Edit /etc/ssh/sshd_config: DebianBanner no AuthorizedKeysFile .ssh/authorized_keys Also check no keys exist in deprecated path: sudo find /home /root -name authorized_keys2 -ls Then: sudo systemctl reload sshd
#237: SSH includes weak MAC algorithms LOW
Source: AI Analysis
The SSH MAC configuration includes hmac-sha1 and umac-64 variants which are considered weak. While ETM (Encrypt-then-MAC) variants are present and preferred, the non-ETM hmac-sha1 and umac-64 are still accepted, allowing downgrade by a capable attacker.
Fix: Edit /etc/ssh/sshd_config: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com Then: sudo systemctl reload sshd
#238: IP forwarding enabled (verify necessity) LOW
Source: AI Analysis
net.ipv4.ip_forward=1 enables the kernel to route packets between network interfaces. This is typically required for Docker networking and is expected on this system (Docker/containerd are present). However, if Docker is not actively used for inter-container or host networking, this should be disabled to prevent the server from being used as a router in network attacks.
Fix: If Docker requires it, this is expected - no action needed. If Docker is not in use: sudo sysctl -w net.ipv4.ip_forward=0
Generated by SecShield — AI Security Analyst