======================================================================
SecShield Security Report — 2026-02-24 08:22 UTC
======================================================================
Security Grade: F (0/100)
CRITICAL: 2 | HIGH: 68 | MEDIUM: 38 | LOW: 130
----------------------------------------------------------------------
FINDINGS
----------------------------------------------------------------------
[HIGH] #1: UFW firewall is INACTIVE (iptables/nftables may be configured directly)
Source: OS/Firewall
[HIGH] #2: fail2ban is INACTIVE — no brute-force protection
Source: OS/Firewall
[MEDIUM] #3: Password authentication is enabled (prefer key-only)
Source: SSH
[MEDIUM] #4: X11 forwarding is enabled
Source: SSH
[MEDIUM] #5: TCP forwarding is enabled
Source: SSH
[MEDIUM] #6: MaxAuthTries is 6 (recommend <= 4)
Source: SSH
[MEDIUM] #7: ClientAliveInterval is 0 (no idle timeout)
Source: SSH
[MEDIUM] #8: 30 non-standard SUID/SGID binaries
Source: Permissions
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chsh
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/chfn
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/mount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/umount
/var/lib/docker/rootfs/overlayfs/15d42d5e4b02b74722adff094f90d72fc172c16f12d28339aeb7d3fabbcdf746/usr/bin/expiry
[MEDIUM] #9: PASS_MAX_DAYS is 99999 (recommend <= 90)
Source: Password Policy
[MEDIUM] #10: PASS_MIN_DAYS is 0 — no minimum password age
Source: Password Policy
[MEDIUM] #11: PASS_MIN_LEN is 5 (recommend >= 8)
Source: Password Policy
[MEDIUM] #12: No account lockout policy (pam_faillock/pam_tally2 not configured)
Source: Password Policy
[MEDIUM] #13: pam_pwquality not configured — no password complexity enforcement
Source: Password Policy
[LOW] #14: net.ipv4.ip_forward=1 (IP forwarding enabled — router mode)
Source: Kernel
[LOW] #15: net.ipv4.conf.all.send_redirects=1 (ICMP redirect sending enabled)
Source: Kernel
[LOW] #16: net.ipv4.conf.all.log_martians=0 (Martian packet logging disabled)
Source: Kernel
[LOW] #17: fs.suid_dumpable=2 (SUID core dumps enabled)
Source: Kernel
[LOW] #18: DMARC policy is 'none' — not enforcing
Source: DNS (home.xamad.net)
[LOW] #19: DNSSEC not enabled
Source: DNS (home.xamad.net)
[LOW] #20: DMARC policy is 'none' — not enforcing
Source: DNS (secshield.xamad.net)
[LOW] #21: DNSSEC not enabled
Source: DNS (secshield.xamad.net)
[HIGH] #22: darkskyscout API (port 3030) bound to 0.0.0.0 — should be 127.0.0.1
Source: Network
Service '' is listening on all interfaces but config expects localhost only
[MEDIUM] #23: Unexpected exposed port 8883 (mosquitto)
Source: Network
Port 8883 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #24: Unexpected exposed port 5055 (python3)
Source: Network
Port 5055 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #25: Unexpected exposed port 9001 (mosquitto)
Source: Network
Port 9001 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #26: Unexpected exposed port 8003 (python)
Source: Network
Port 8003 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #27: Unexpected exposed port 8000 (python)
Source: Network
Port 8000 is listening on 0.0.0.0 but not in expected_ports config
[MEDIUM] #28: Unexpected exposed port 3050 (node)
Source: Network
Port 3050 is listening on * but not in expected_ports config
[MEDIUM] #29: Unexpected exposed port 8065 ()
Source: Network
Port 8065 is listening on * but not in expected_ports config
[LOW] #30: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection
Source: Headers (home.xamad.net)
[LOW] #31: Missing security headers: XSS protection header, Content-Type sniffing protection, HSTS, CSP, Clickjacking protection
Source: Headers (secshield.xamad.net)
[CRITICAL] #32: [CVE-2026-25896] fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.5
[HIGH] #33: Hardcoded API key
Source: Code ([...path].js)
File: /opt/darkskyscout/vercel-satellite-proxy/api/n2yo/[...path].js
Line 45: if (!apiKey || apiKey === 'your_n2yo_api_key_here') {
[HIGH] #34: Hardcoded API key
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 51: if (!OPENWEATHER_API_KEY || OPENWEATHER_API_KEY === 'demo_key') {
[HIGH] #35: Hardcoded API key
Source: Code (admin-sources-api.js)
File: /opt/darkskyscout/packages/api/src/routes/admin-sources-api.js
Line 95: if (requires_api_key !== undefined) filters.requires_api_key = requires_api_key === 'true';
[HIGH] #36: Hardcoded API key
Source: Code (webhooks.js)
File: /opt/darkskyscout/packages/api/src/routes/webhooks.js
Line 238: const apiKey = req.get('X-API-Key');
[HIGH] #37: Hardcoded API key
Source: Code (security.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/security.middleware.js
Line 258: const apiKey = req.headers['x-api-key'];
[HIGH] #38: Hardcoded API key
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.js
Line 340: const apiKey = req.headers['x-api-key'];
[HIGH] #39: Hardcoded password
Source: Code (validation.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/validation.middleware.js
Line 41: const passwordValidation = body('password')
[HIGH] #40: Hardcoded password
Source: Code (seed.dev.js)
File: /opt/darkskyscout/packages/api/src/prisma/seed.dev.js
Line 31: const hashedPassword = await bcrypt.hash('password123', 10);
[HIGH] #41: Hardcoded API key
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 90: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
[HIGH] #42: Hardcoded API key
Source: Code (skyTrackingOptimized.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyTrackingOptimized.service.js
Line 405: if (!this.config.n2yo.apiKey || this.config.n2yo.apiKey === 'demo_key') {
[HIGH] #43: Hardcoded API key
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 146: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
[HIGH] #44: Hardcoded API key
Source: Code (googleEarthEngine.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleEarthEngine.service.js
Line 268: if (!googleApiKey || googleApiKey === 'your_google_maps_api_key_here') {
[HIGH] #45: Hardcoded API key
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 56: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
[HIGH] #46: Hardcoded API key
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 132: if (this.n2yoApiKey && this.n2yoApiKey !== 'demo_key') {
[HIGH] #47: Hardcoded API key
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 196: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
[HIGH] #48: Hardcoded API key
Source: Code (skyInterference.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.service.js
Line 735: if (!this.n2yoApiKey || this.n2yoApiKey === 'your_n2yo_api_key_here' || this.n2yoApiKey === 'demo_key') {
[HIGH] #49: Hardcoded API key
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 78: diagnosis.mapsApiKey.error = 'Billing not enabled';
[HIGH] #50: Hardcoded password
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 8: const { validatePassword, validateEmail } = require('../utils/validation');
[HIGH] #51: child_process — command injection risk
Source: Code (satelliteClaudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/satelliteClaudeSearch.service.js
Line 1: const { spawn } = require('child_process');
[HIGH] #52: child_process — command injection risk
Source: Code (claudeSearch.service.js)
File: /opt/darkskyscout/packages/api/src/services/claudeSearch.service.js
Line 1: const { exec } = require('child_process');
[HIGH] #53: child_process — command injection risk
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 4: const { exec } = require('child_process');
[HIGH] #54: Hardcoded API key
Source: Code (n2yoClient.service.js)
File: /opt/darkskyscout/packages/web/src/services/n2yoClient.service.js
Line 26: return !!this.apiKey && this.apiKey !== 'your_n2yo_api_key_here';
[HIGH] #55: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 87: newErrors.password = 'Password is required';
[HIGH] #56: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 89: newErrors.password = 'Password must be at least 8 characters';
[HIGH] #57: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 91: newErrors.password = 'Password must contain uppercase, lowercase and number';
[HIGH] #58: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 95: newErrors.confirmPassword = 'Please confirm your password';
[HIGH] #59: Hardcoded password
Source: Code (RegisterPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/RegisterPage.jsx
Line 97: newErrors.confirmPassword = 'Passwords do not match';
[HIGH] #60: Hardcoded password
Source: Code (LoginPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/LoginPage.jsx
Line 82: newErrors.password = 'Password is required';
[HIGH] #61: innerHTML assignment — XSS risk
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
[HIGH] #62: React dangerouslySetInnerHTML — XSS risk
Source: Code (PhotoGallery.jsx)
File: /opt/darkskyscout/packages/web/src/components/accommodation/PhotoGallery.jsx
Line 107: dangerouslySetInnerHTML={{ __html: selectedPhoto.attribution }}
[HIGH] #63: innerHTML assignment — XSS risk
Source: Code (MatchSuggestions.jsx)
File: /opt/darkskyscout/packages/web/src/components/common/MatchSuggestions.jsx
Line 96: e.target.parentElement.innerHTML = `${suggestion.user.name[0]}`;
[HIGH] #64: innerHTML assignment — XSS risk
Source: Code (InstantLightPollutionOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/InstantLightPollutionOverlay.jsx
Line 478: tooltip.innerHTML = `
[HIGH] #65: innerHTML assignment — XSS risk
Source: Code (CustomLocationMarkers.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/CustomLocationMarkers.jsx
Line 54: el.innerHTML = `
[HIGH] #66: innerHTML assignment — XSS risk
Source: Code (SimpleBortleOverlay.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/SimpleBortleOverlay.jsx
Line 67: svgElement.innerHTML = '';
[HIGH] #67: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 446: el.innerHTML = `
[HIGH] #68: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 534: el.innerHTML = `
[HIGH] #69: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 616: el.innerHTML = `
[HIGH] #70: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1275: loadingIndicator.innerHTML = `
[HIGH] #71: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1421: clickableIndicator.innerHTML = `
[HIGH] #72: innerHTML assignment — XSS risk
Source: Code (MapLibreMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapLibreMap.jsx
Line 1619: errorIndicator.innerHTML = `
[HIGH] #73: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
[HIGH] #74: [CVE-2026-26278] fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: fast-xml-parser 5.3.4 → 5.3.6
[HIGH] #75: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
[HIGH] #76: [CVE-2025-47935] Multer vulnerable to Denial of Service via memory leaks from unclosed streams
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
[HIGH] #77: [CVE-2025-47944] Multer vulnerable to Denial of Service from maliciously crafted requests
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.0
[HIGH] #78: [CVE-2025-48997] multer: Multer vulnerable to Denial of Service via unhandled exception
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.1
[HIGH] #79: [CVE-2025-7338] multer: Multer Denial of Service
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: multer 1.4.5-lts.2 → 2.0.2
[HIGH] #80: [CVE-2026-23745] node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.3
[HIGH] #81: [CVE-2026-23950] node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.4
[HIGH] #82: [CVE-2026-24842] node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.7
[HIGH] #83: [CVE-2026-26960] tar: node-tar: node-tar: Arbitrary file read/write via malicious archive hardlink creation
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar 6.2.1 → 7.5.8
[HIGH] #84: [CVE-2024-12905] tar-fs: link following and path traversal via maliciously crafted tar file
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.4, 2.1.2, 3.0.7
[HIGH] #85: [CVE-2025-48387] tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 1.16.5, 2.1.3, 3.0.9
[HIGH] #86: [CVE-2025-59343] tar-fs: tar-fs symlink validation bypass
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: tar-fs 3.0.4 → 3.1.1, 2.1.4, 1.16.6
[HIGH] #87: [CVE-2024-37890] nodejs-ws: denial of service when handling a request with many HTTP headers
Source: Code (package-lock.json)
File: packages/api/package-lock.json
Line 0: ws 8.16.0 → 5.2.4, 6.2.3, 7.5.10, 8.17.1
[HIGH] #88: [CVE-2026-25639] axios: Axios affected by Denial of Service via __proto__ Key in mergeConfig
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: axios 1.13.4 → 1.13.5, 0.30.3
[HIGH] #89: [CVE-2026-1615] jsonpath: jsonpath: Arbitrary Code Execution via unsafe JSON Path expression evaluation
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: jsonpath 1.2.1 → no fix
[HIGH] #90: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 3.1.2 → 10.2.1
[HIGH] #91: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 5.1.6 → 10.2.1
[HIGH] #92: [CVE-2026-26996] minimatch: minimatch: Denial of Service via specially crafted glob patterns
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: minimatch 9.0.5 → 10.2.1
[HIGH] #93: [CVE-2021-3803] nodejs-nth-check: inefficient regular expression complexity
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: nth-check 1.0.2 → 2.0.1
[MEDIUM] #94: MD5 hash usage
Source: Code (analytics.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/analytics.middleware.js
Line 86: return crypto.createHash('md5').update(components.join('|')).digest('hex');
[MEDIUM] #95: MD5 hash usage
Source: Code (feature-flags.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/feature-flags.middleware.js
Line 294: const hash = crypto.createHash('md5').update(hashInput).digest('hex');
[MEDIUM] #96: MD5 hash usage
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 110: return crypto.createHash('md5').update(fingerprint).digest('hex');
[MEDIUM] #97: MD5 hash usage
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 56: const hash = crypto.createHash('md5').update(fullKey).digest('hex');
[MEDIUM] #98: MD5 hash usage
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 316: const paramsHash = crypto.createHash('md5').update(paramsString).digest('hex');
[MEDIUM] #99: MD5 hash usage
Source: Code (compression.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/compression.middleware.js
Line 353: const hash = crypto.createHash('md5').update(chunk).digest('hex');
[MEDIUM] #100: MD5 hash usage
Source: Code (userLocationInteractions.service.js)
File: /opt/darkskyscout/packages/api/src/services/userLocationInteractions.service.js
Line 22: return crypto.createHash('md5').update(`${name}_${location.id || Date.now()}`).digest('hex');
[MEDIUM] #101: [CVE-2025-69873] ajv: ReDoS via $data reference
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 6.12.6 → 8.18.0, 6.14.0
[MEDIUM] #102: [CVE-2025-69873] ajv: ReDoS via $data reference
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: ajv 8.17.1 → 8.18.0, 6.14.0
[MEDIUM] #103: [CVE-2023-44270] PostCSS: Improper input validation in PostCSS
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: postcss 7.0.39 → 8.4.31
[MEDIUM] #104: [CVE-2025-30359] webpack-dev-server: webpack-dev-server information exposure
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
[MEDIUM] #105: [CVE-2025-30360] webpack-dev-server: webpack-dev-server information exposure
Source: Code (package-lock.json)
File: packages/web/package-lock.json
Line 0: webpack-dev-server 4.15.2 → 5.2.1
[MEDIUM] #106: Secret: Mapbox API token
Source: Code (fix_all_localhost.sh)
File: fix_all_localhost.sh
Line 35: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
[MEDIUM] #107: Secret: Mapbox API token
Source: Code (fix_browser_cache_delirium.sh)
File: fix_browser_cache_delirium.sh
Line 64: REACT_APP_MAPBOX_ACCESS_TOKEN=**************************************************************************************
[LOW] #108: Hardcoded fallback for env variable
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2894: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
[LOW] #109: Hardcoded fallback for env variable
Source: Code (server.minimal.js)
File: /opt/darkskyscout/packages/api/src/server.minimal.js
Line 2929: const openWeatherKey = process.env.OPENWEATHER_API_KEY || 'c52cc3a156e8d8556f1394fc999a3418';
[LOW] #110: Hardcoded fallback for env variable
Source: Code (server.js)
File: /opt/darkskyscout/packages/api/src/server.js
Line 9: const HOST = process.env.HOST || '0.0.0.0';
[LOW] #111: Hardcoded fallback for env variable
Source: Code (debug-sky-tracking.js)
File: /opt/darkskyscout/packages/api/src/debug-sky-tracking.js
Line 13: console.log(' OPENSKY_CLIENT_ID:', process.env.OPENSKY_CLIENT_ID || 'NOT SET');
[LOW] #112: Hardcoded fallback for env variable
Source: Code (socket.js)
File: /opt/darkskyscout/packages/api/src/socket.js
Line 17: origin: process.env.FRONTEND_URL || "https://darkskyscout.xamad.net",
[LOW] #113: Hardcoded fallback for env variable
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 450: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
[LOW] #114: Hardcoded fallback for env variable
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 505: const baseUrl = returnUrl || process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
[LOW] #115: Hardcoded fallback for env variable
Source: Code (server.quick.js)
File: /opt/darkskyscout/packages/api/src/server.quick.js
Line 580: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
[LOW] #116: Hardcoded fallback for env variable
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 108: host: process.env.REDIS_HOST || 'localhost',
[LOW] #117: Hardcoded fallback for env variable
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 651: limit: process.env.MAX_REQUEST_SIZE || '10mb',
[LOW] #118: Hardcoded fallback for env variable
Source: Code (database.js)
File: /opt/darkskyscout/packages/api/src/config/database.js
Line 659: limit: process.env.MAX_REQUEST_SIZE || '10mb'
[LOW] #119: Hardcoded fallback for env variable
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 51: process.env.JWT_SECRET || 'dev-secret',
[LOW] #120: Hardcoded fallback for env variable
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 112: process.env.JWT_SECRET || 'dev-secret',
[LOW] #121: Hardcoded fallback for env variable
Source: Code (auth.simple.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.simple.js
Line 141: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'dev-secret');
[LOW] #122: Hardcoded fallback for env variable
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 86: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
[LOW] #123: Hardcoded fallback for env variable
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 92: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
[LOW] #124: Hardcoded fallback for env variable
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 341: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
[LOW] #125: Hardcoded fallback for env variable
Source: Code (auth.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.js
Line 523: expiresIn: process.env.JWT_EXPIRES_IN || '15m'
[LOW] #126: Hardcoded fallback for env variable
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 19: const redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
[LOW] #127: Hardcoded fallback for env variable
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 222: const baseUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
[LOW] #128: Hardcoded fallback for env variable
Source: Code (auth.google.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.google.js
Line 274: const errorUrl = process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net';
[LOW] #129: Hardcoded fallback for env variable
Source: Code (communitySharing.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/communitySharing.routes.js
Line 102: const decoded = jwt.verify(token, process.env.JWT_SECRET || 'fallback-secret');
[LOW] #130: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 18: callbackURL: process.env.GOOGLE_CALLBACK_URL || '/api/auth/google/callback'
[LOW] #131: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 80: callbackURL: process.env.FACEBOOK_CALLBACK_URL || '/api/auth/facebook/callback',
[LOW] #132: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 137: callbackURL: process.env.GITHUB_CALLBACK_URL || '/api/auth/github/callback'
[LOW] #133: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 229: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
[LOW] #134: Hardcoded fallback for env variable
Source: Code (auth-social.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth-social.routes.js
Line 235: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
[LOW] #135: Hardcoded fallback for env variable
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 164: googleRedirectUri: process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback',
[LOW] #136: Hardcoded fallback for env variable
Source: Code (auth.repair.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.repair.js
Line 165: frontendUrl: process.env.FRONTEND_URL || 'https://darkskyscout.xamad.net',
[LOW] #137: Hardcoded fallback for env variable
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 32: { expiresIn: process.env.JWT_EXPIRES_IN || '15m' }
[LOW] #138: Hardcoded fallback for env variable
Source: Code (auth.routes.js)
File: /opt/darkskyscout/packages/api/src/routes/auth.routes.js
Line 38: { expiresIn: process.env.JWT_REFRESH_EXPIRES_IN || '7d' }
[LOW] #139: Hardcoded fallback for env variable
Source: Code (analytics.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/analytics.worker.js
Line 890: const filepath = path.join(process.env.EXPORT_DIR || '/tmp', filename);
[LOW] #140: Hardcoded fallback for env variable
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 263: host: process.env.REDIS_HOST || 'localhost',
[LOW] #141: Hardcoded fallback for env variable
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 417: timezone: process.env.TZ || 'UTC'
[LOW] #142: Hardcoded fallback for env variable
Source: Code (manager.js)
File: /opt/darkskyscout/packages/api/src/workers/manager.js
Line 785: version: process.env.npm_package_version || 'unknown',
[LOW] #143: Hardcoded fallback for env variable
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 240: host: process.env.REDIS_HOST || 'localhost',
[LOW] #144: Hardcoded fallback for env variable
Source: Code (weather-scraper.js)
File: /opt/darkskyscout/packages/api/src/workers/weather-scraper.js
Line 248: host: process.env.REDIS_HOST || 'localhost',
[LOW] #145: Hardcoded fallback for env variable
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 426: const tempDir = process.env.TEMP_DIR || '/tmp';
[LOW] #146: Hardcoded fallback for env variable
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 432: const uploadsDir = process.env.UPLOADS_DIR || '/uploads';
[LOW] #147: Hardcoded fallback for env variable
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 438: const logsDir = process.env.LOGS_DIR || '/logs';
[LOW] #148: Hardcoded fallback for env variable
Source: Code (cleanup.worker.js)
File: /opt/darkskyscout/packages/api/src/workers/cleanup.worker.js
Line 743: const tempDir = process.env.TEMP_DIR || '/tmp';
[LOW] #149: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 33: host: process.env.REDIS_HOST || 'localhost',
[LOW] #150: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 51: host: process.env.REDIS_HOST || 'localhost',
[LOW] #151: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 69: host: process.env.REDIS_HOST || 'localhost',
[LOW] #152: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 87: host: process.env.REDIS_HOST || 'localhost',
[LOW] #153: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 105: host: process.env.REDIS_HOST || 'localhost',
[LOW] #154: Hardcoded fallback for env variable
Source: Code (index.js)
File: /opt/darkskyscout/packages/api/src/workers/index.js
Line 119: host: process.env.REDIS_HOST || 'localhost',
[LOW] #155: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 241: url: process.env.REDIS_URL || 'redis://localhost:6379',
[LOW] #156: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 348: version: process.env.APP_VERSION || '1.0.0',
[LOW] #157: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 349: environment: process.env.NODE_ENV || 'development'
[LOW] #158: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 364: version: process.env.APP_VERSION || '1.0.0',
[LOW] #159: Hardcoded fallback for env variable
Source: Code (monitoring.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/monitoring.middleware.js
Line 365: environment: process.env.NODE_ENV || 'development',
[LOW] #160: Hardcoded fallback for env variable
Source: Code (error.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/error.middleware.js
Line 210: maxSize: process.env.MAX_FILE_SIZE || '50MB'
[LOW] #161: Hardcoded fallback for env variable
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 12: region: process.env.AWS_REGION || 'eu-west-1',
[LOW] #162: Hardcoded fallback for env variable
Source: Code (upload.js)
File: /opt/darkskyscout/packages/api/src/middleware/upload.js
Line 19: const bucket = process.env.AWS_S3_BUCKET || 'skyscout-uploads';
[LOW] #163: Hardcoded fallback for env variable
Source: Code (auth.middleware.simple.js)
File: /opt/darkskyscout/packages/api/src/middleware/auth.middleware.simple.js
Line 12: const secret = process.env.JWT_SECRET || 'dev-jwt-secret-key-for-testing-only-change-in-production';
[LOW] #164: Hardcoded fallback for env variable
Source: Code (logging.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/logging.middleware.js
Line 182: const environment = process.env.NODE_ENV || 'development';
[LOW] #165: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 20: ios: process.env.IOS_CURRENT_VERSION || '1.0.0',
[LOW] #166: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 21: android: process.env.ANDROID_CURRENT_VERSION || '1.0.0'
[LOW] #167: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 24: ios: process.env.IOS_FORCE_UPDATE_VERSION || '0.9.0',
[LOW] #168: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 25: android: process.env.ANDROID_FORCE_UPDATE_VERSION || '0.9.0'
[LOW] #169: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 197: ios: process.env.IOS_DOWNLOAD_URL || 'https://apps.apple.com/app/skyscout',
[LOW] #170: Hardcoded fallback for env variable
Source: Code (mobile.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/mobile.middleware.js
Line 198: android: process.env.ANDROID_DOWNLOAD_URL || 'https://play.google.com/store/apps/details?id=com.skyscout'
[LOW] #171: Hardcoded fallback for env variable
Source: Code (maintenance.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/maintenance.middleware.js
Line 263: contactSupport: process.env.SUPPORT_EMAIL || 'support@skyscout.app'
[LOW] #172: Hardcoded fallback for env variable
Source: Code (cache.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/cache.middleware.js
Line 8: url: process.env.REDIS_URL || 'redis://localhost:6379',
[LOW] #173: Hardcoded fallback for env variable
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 27: timezoneAPI: process.env.TIMEZONE_API_URL || 'http://api.timezonedb.com/v2.1/get-time-zone',
[LOW] #174: Hardcoded fallback for env variable
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 31: elevationAPI: process.env.ELEVATION_API_URL || 'https://api.open-elevation.com/api/v1/lookup',
[LOW] #175: Hardcoded fallback for env variable
Source: Code (geo.middleware.js)
File: /opt/darkskyscout/packages/api/src/middleware/geo.middleware.js
Line 34: bortleAPI: process.env.BORTLE_API_URL || 'https://www.lightpollutionmap.info/QueryRaster/',
[LOW] #176: Hardcoded fallback for env variable
Source: Code (LocationService.js)
File: /opt/darkskyscout/packages/api/src/services/LocationService.js
Line 472: key: process.env.TIMEZONEDB_KEY || 'demo',
[LOW] #177: Hardcoded fallback for env variable
Source: Code (ai.grok.js)
File: /opt/darkskyscout/packages/api/src/services/ai.grok.js
Line 7: this.apiUrl = process.env.GROK_API_URL || 'https://api.x.ai/v1'; // Default Grok API URL
[LOW] #178: Hardcoded fallback for env variable
Source: Code (MediaService.js)
File: /opt/darkskyscout/packages/api/src/services/MediaService.js
Line 32: region: process.env.AWS_REGION || 'us-east-1'
[LOW] #179: Hardcoded fallback for env variable
Source: Code (skyInterference.proxy.service.js)
File: /opt/darkskyscout/packages/api/src/services/skyInterference.proxy.service.js
Line 11: this.proxyBaseUrl = process.env.SATELLITE_PROXY_URL || 'https://your-app.vercel.app';
[LOW] #180: Hardcoded fallback for env variable
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 30: primary: process.env.AI_ENGINE_PRIMARY || 'claude-code',
[LOW] #181: Hardcoded fallback for env variable
Source: Code (aiEngineManager.service.js)
File: /opt/darkskyscout/packages/api/src/services/aiEngineManager.service.js
Line 31: fallbackChain: (process.env.AI_ENGINE_FALLBACK || 'claude-api,openai,deepseek').split(','),
[LOW] #182: Hardcoded fallback for env variable
Source: Code (googleAuthRepair.service.js)
File: /opt/darkskyscout/packages/api/src/services/googleAuthRepair.service.js
Line 10: this.redirectUri = process.env.GOOGLE_REDIRECT_URI || 'https://darkskyscout-api.xamad.net/api/auth/google/callback';
[LOW] #183: Hardcoded fallback for env variable
Source: Code (lightPollution.realtime.service.js)
File: /opt/darkskyscout/packages/api/src/services/lightPollution.realtime.service.js
Line 28: nasa: process.env.NASA_API_KEY || 'DEMO_KEY',
[LOW] #184: Hardcoded fallback for env variable
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 262: from: process.env.EMAIL_FROM || 'SkyScout ',
[LOW] #185: Hardcoded fallback for env variable
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 297: from: process.env.EMAIL_FROM || 'SkyScout ',
[LOW] #186: Hardcoded fallback for env variable
Source: Code (EmailService.js)
File: /opt/darkskyscout/packages/api/src/services/EmailService.js
Line 324: appUrl: process.env.APP_URL || 'https://app.skyscout.com'
[LOW] #187: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 7: const MATRIX_SERVER = process.env.MATRIX_SERVER_URL || 'http://localhost:8008';
[LOW] #188: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 8: const MATRIX_DOMAIN = process.env.MATRIX_DOMAIN || 'chat.darkskyscout.xamad.net';
[LOW] #189: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 9: const REGISTRATION_SECRET = process.env.MATRIX_REGISTRATION_SECRET || '_hkFIRqh5;a^3t7aZ9*WMKPuLqsn8gS-cTwAbxYjYN0Iad_I1Q';
[LOW] #190: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 57: const secret = process.env.JWT_SECRET || 'darkskyscout-matrix-secret';
[LOW] #191: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 106: user: process.env.MATRIX_ADMIN_USER || 'darkskyadmin',
[LOW] #192: Hardcoded fallback for env variable
Source: Code (matrix.service.js)
File: /opt/darkskyscout/packages/api/src/services/matrix.service.js
Line 107: password: process.env.MATRIX_ADMIN_PASSWORD || 'DarkSky2024Admin!'
[LOW] #193: Hardcoded fallback for env variable
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 9: this.bucketName = process.env.AWS_S3_BUCKET || 'skyscout-media';
[LOW] #194: Hardcoded fallback for env variable
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 44: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
[LOW] #195: Hardcoded fallback for env variable
Source: Code (s3Service.js)
File: /opt/darkskyscout/packages/api/src/services/s3Service.js
Line 115: const baseUrl = process.env.API_URL || 'https://darkskyscout-api.xamad.net';
[LOW] #196: Hardcoded fallback for env variable
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 7: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3-0324';
[LOW] #197: Hardcoded fallback for env variable
Source: Code (ai.huggingface.js)
File: /opt/darkskyscout/packages/api/src/services/ai.huggingface.js
Line 8: this.baseUrl = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
[LOW] #198: Hardcoded fallback for env variable
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 16: this.jwtExpiration = process.env.JWT_EXPIRATION || '24h';
[LOW] #199: Hardcoded fallback for env variable
Source: Code (AuthService.js)
File: /opt/darkskyscout/packages/api/src/services/AuthService.js
Line 17: this.refreshTokenExpiration = process.env.REFRESH_TOKEN_EXPIRATION || '7d';
[LOW] #200: Hardcoded fallback for env variable
Source: Code (emailService.js)
File: /opt/darkskyscout/packages/api/src/services/emailService.js
Line 7: this.fromEmail = process.env.EMAIL_FROM || 'noreply@darkskyscout.xamad.net';
[LOW] #201: Hardcoded fallback for env variable
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 12: this.baseURL = process.env.CLAUDE_API_URL || 'https://api.anthropic.com/v1';
[LOW] #202: Hardcoded fallback for env variable
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 13: this.model = process.env.CLAUDE_API_MODEL || 'claude-3-5-sonnet-20241022';
[LOW] #203: Hardcoded fallback for env variable
Source: Code (claudeAPI.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeAPI.adapter.js
Line 14: this.version = process.env.CLAUDE_API_VERSION || '2023-06-01';
[LOW] #204: Hardcoded fallback for env variable
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_API_URL || 'https://router.huggingface.co/novita/v3/openai/chat/completions';
[LOW] #205: Hardcoded fallback for env variable
Source: Code (deepseek.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/deepseek.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_MODEL || 'deepseek/deepseek-v3';
[LOW] #206: Hardcoded fallback for env variable
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 12: this.baseURL = process.env.OPENAI_API_URL || 'https://api.openai.com/v1';
[LOW] #207: Hardcoded fallback for env variable
Source: Code (openai.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/openai.adapter.js
Line 13: this.model = process.env.OPENAI_MODEL || 'gpt-4';
[LOW] #208: Hardcoded fallback for env variable
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 14: this.claudePath = process.env.CLAUDE_CODE_PATH || '/home/deploy/.nvm/versions/node/v22.17.1/bin/claude';
[LOW] #209: Hardcoded fallback for env variable
Source: Code (claudeCode.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/claudeCode.adapter.js
Line 16: this.defaultModel = process.env.CLAUDE_CODE_MODEL || 'sonnet'; // Use alias for latest Sonnet model
[LOW] #210: Hardcoded fallback for env variable
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 12: this.baseURL = process.env.HUGGINGFACE_INFERENCE_URL || 'https://api-inference.huggingface.co/models';
[LOW] #211: Hardcoded fallback for env variable
Source: Code (huggingface.adapter.js)
File: /opt/darkskyscout/packages/api/src/services/adapters/huggingface.adapter.js
Line 13: this.model = process.env.HUGGINGFACE_DEFAULT_MODEL || 'microsoft/DialoGPT-large';
[LOW] #212: Hardcoded fallback for env variable
Source: Code (test-api-connection.js)
File: /opt/darkskyscout/packages/web/src/test-api-connection.js
Line 2: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net';
[LOW] #213: Hardcoded fallback for env variable
Source: Code (geocoding.service.js)
File: /opt/darkskyscout/packages/web/src/services/geocoding.service.js
Line 118: const API_BASE = process.env.REACT_APP_API_URL || '/api';
[LOW] #214: Hardcoded fallback for env variable
Source: Code (externalLocation.service.js)
File: /opt/darkskyscout/packages/web/src/services/externalLocation.service.js
Line 443: const API_BASE = process.env.REACT_APP_API_URL || '/api';
[LOW] #215: Hardcoded fallback for env variable
Source: Code (communitySharing.service.js)
File: /opt/darkskyscout/packages/web/src/services/communitySharing.service.js
Line 3: const API_BASE_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
[LOW] #216: Hardcoded fallback for env variable
Source: Code (AIEngineAdminPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AIEngineAdminPage.jsx
Line 8: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
[LOW] #217: Hardcoded fallback for env variable
Source: Code (AccommodationDetailPage.jsx)
File: /opt/darkskyscout/packages/web/src/pages/AccommodationDetailPage.jsx
Line 124: const apiUrl = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
[LOW] #218: Hardcoded fallback for env variable
Source: Code (AIEngineManager.jsx)
File: /opt/darkskyscout/packages/web/src/components/admin/AIEngineManager.jsx
Line 6: const API_URL = process.env.REACT_APP_API_URL || 'https://darkskyscout-api.xamad.net/api';
[LOW] #219: Hardcoded fallback for env variable
Source: Code (MapboxMap.jsx)
File: /opt/darkskyscout/packages/web/src/components/map/MapboxMap.jsx
Line 8: mapboxgl.accessToken = process.env.REACT_APP_MAPBOX_ACCESS_TOKEN || 'pk.eyJ1IjoiZGFya3NreXNjb3V0IiwiYSI6ImNsdmhkZnhrbzAyeDQycW9ma3J2aHUwaGMifQ.placeholder';
[MEDIUM] #220: Debug mode enabled
Source: Code (app.py)
File: /home/webhook/picobernacca/app.py
Line 202: app.run(host="127.0.0.1", port=config.PORT, debug=True)
[LOW] #221: Inline event handler — potential XSS vector
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 5:
[LOW] #222: Inline event handler — potential XSS vector
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 6:
[LOW] #223: Inline event handler — potential XSS vector
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 7:
[LOW] #224: Inline event handler — potential XSS vector
Source: Code (dashboard.html)
File: /home/webhook/picobernacca/templates/dashboard.html
Line 8:
[CRITICAL] #225: Active SSH brute-force attack with no fail2ban protection
Source: AI Analysis
Logs show an active brute-force attack from 222.121.250.156 cycling through root, admin, oracle, usuario, and test usernames with maximum authentication attempts exceeded. fail2ban is INACTIVE, meaning there is no automated IP banning. Combined with PasswordAuthentication=yes on SSH, this creates a high-probability credential compromise vector. MaxStartups throttling events confirm connection flooding is occurring.
Fix: sudo apt install fail2ban && sudo systemctl enable --now fail2ban
Create /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = 22
filter = sshd
maxretry = 3
bantime = 3600
findtime = 600
banaction =
[HIGH] #226: SSH password authentication enabled alongside active brute-force
Source: AI Analysis
PasswordAuthentication is set to 'yes' in both config and runtime. With an active brute-force attack in progress and no fail2ban, this significantly increases the risk of unauthorized access. Key-based authentication is already configured (1 ed25519 key for root), so password auth can be safely disabled.
Fix: Edit /etc/ssh/sshd_config:
PasswordAuthentication no
Then: sudo systemctl reload sshd
WARNING: Verify your SSH key access works before disconnecting.
[HIGH] #227: Multiple unidentified services exposed on all interfaces
Source: AI Analysis
12 services are bound to 0.0.0.0 or [::]. Several have no identified process name: port 3030 (unknown), port 8065 (unknown), port 3050 (node). Ports 8000 and 8003 run unidentified Python processes, and port 5055 runs python3. Without nftables rule visibility, it's unclear if these are filtered. Unnecessary exposure increases attack surface significantly.
Fix: 1. Identify all services: sudo ss -tlnp | grep -E '(3030|8065|3050|8000|8003|5055)'
2. Bind internal-only services to 127.0.0.1
3. If services must be public, ensure nftables rules restrict access:
[HIGH] #228: MQTT broker (Mosquitto) exposed on ports 8883 and 9001
Source: AI Analysis
Mosquitto MQTT broker is listening on 0.0.0.0:8883 (MQTT over TLS) and 0.0.0.0:9001 (likely WebSocket). MQTT brokers exposed to the internet are frequent targets for unauthorized subscription/publishing attacks. If authentication is not configured or uses weak credentials, attackers can intercept or inject messages into IoT communication channels.
Fix: 1. Verify Mosquitto requires authentication: grep -E 'allow_anonymous|password_file' /etc/mosquitto/mosquitto.conf
2. Ensure allow_anonymous is set to false
3. If only internal clients need access, bi
[HIGH] #229: No password complexity or account lockout policies configured
Source: AI Analysis
pam_pwquality is not configured (no password complexity enforcement) and pam_faillock is not configured (no account lockout after failed attempts). PASS_MAX_DAYS is 99999 (no password expiration), PASS_MIN_DAYS is 0. Combined with password authentication being enabled on SSH, weak passwords could be set and brute-forced indefinitely at the PAM level.
Fix: 1. Install and configure pam_pwquality:
sudo apt install libpam-pwquality
Edit /etc/security/pwquality.conf:
minlen = 12
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
2. Co
[MEDIUM] #230: SSH X11 forwarding and TCP forwarding enabled
Source: AI Analysis
X11Forwarding is set to 'yes' and AllowTcpForwarding is 'yes'. X11 forwarding can be exploited for X11 session hijacking if an attacker gains SSH access. TCP forwarding allows tunneling through the server, which could be used for lateral movement or as a proxy. On a server (not a workstation), neither is typically needed.
Fix: Edit /etc/ssh/sshd_config:
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
Then: sudo systemctl reload sshd
[MEDIUM] #231: No SSH idle session timeout configured
Source: AI Analysis
ClientAliveInterval is 0 and UnusedConnectionTimeout is 'none'. Idle SSH sessions remain open indefinitely, increasing the risk of session hijacking if a workstation is left unattended. MaxAuthTries is 6 (recommended <= 4), giving attackers more password guesses per connection.
Fix: Edit /etc/ssh/sshd_config:
ClientAliveInterval 300
ClientAliveCountMax 2
MaxAuthTries 4
Then: sudo systemctl reload sshd
[MEDIUM] #232: SUID core dumps enabled (fs.suid_dumpable=2)
Source: AI Analysis
fs.suid_dumpable is set to 2 (suidsafe), which allows core dumps of SUID processes to be written (readable only by root). Core dumps from privileged processes can leak sensitive data such as passwords, encryption keys, or memory contents of privileged applications.
Fix: sudo sysctl -w fs.suid_dumpable=0
echo 'fs.suid_dumpable = 0' | sudo tee /etc/sysctl.d/99-security.conf
sudo sysctl -p /etc/sysctl.d/99-security.conf
[MEDIUM] #233: Root filesystem at 80% capacity
Source: AI Analysis
The root partition (/) is at 80% usage with 7.3G remaining of 38G. While not immediately critical, continued growth (especially from logs, Docker images, or database data) could cause service failures. Docker overlay filesystem shares the same partition. A full disk can cause PostgreSQL corruption, application crashes, and inability to write logs.
Fix: 1. Review disk usage: sudo du -sh /var/log /var/lib/docker /var/lib/postgresql /tmp
2. Clean Docker resources: sudo docker system prune -a
3. Review and rotate logs: sudo journalctl --vacuum-size=500M
[MEDIUM] #234: SSH minimum RSA key size set to 1024 bits
Source: AI Analysis
RequiredRSASize is set to 1024, which allows weak RSA keys. NIST deprecated 1024-bit RSA keys in 2013. While the configured host key is Ed25519 (strong), clients could authenticate with weak 1024-bit RSA keys.
Fix: Edit /etc/ssh/sshd_config:
RequiredRSASize 3072
Then: sudo systemctl reload sshd
[LOW] #235: ICMP redirect sending enabled and martian logging disabled
Source: AI Analysis
net.ipv4.conf.all.send_redirects=1 allows the server to send ICMP redirect messages, which could be abused for MITM attacks on the local network. net.ipv4.conf.all.log_martians=0 means packets with impossible source addresses are not logged, reducing visibility into potential spoofing attacks.
Fix: sudo sysctl -w net.ipv4.conf.all.send_redirects=0
sudo sysctl -w net.ipv4.conf.default.send_redirects=0
sudo sysctl -w net.ipv4.conf.all.log_martians=1
Persist in /etc/sysctl.d/99-security.conf:
net.
[LOW] #236: SSH Debian banner and deprecated authorized_keys2 path enabled
Source: AI Analysis
DebianBanner is 'yes', disclosing the OS distribution to attackers during SSH handshake. AuthorizedKeysFile includes '.ssh/authorized_keys2' which is a deprecated path and could be used to plant backdoor keys in a less obvious location. Both are information disclosure / attack surface issues.
Fix: Edit /etc/ssh/sshd_config:
DebianBanner no
AuthorizedKeysFile .ssh/authorized_keys
Also check no keys exist in deprecated path:
sudo find /home /root -name authorized_keys2 -ls
Then: sudo systemctl
[LOW] #237: SSH includes weak MAC algorithms
Source: AI Analysis
The SSH MAC configuration includes hmac-sha1 and umac-64 variants which are considered weak. While ETM (Encrypt-then-MAC) variants are present and preferred, the non-ETM hmac-sha1 and umac-64 are still accepted, allowing downgrade by a capable attacker.
Fix: Edit /etc/ssh/sshd_config:
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
Then: sudo systemctl reload sshd
[LOW] #238: IP forwarding enabled (verify necessity)
Source: AI Analysis
net.ipv4.ip_forward=1 enables the kernel to route packets between network interfaces. This is typically required for Docker networking and is expected on this system (Docker/containerd are present). However, if Docker is not actively used for inter-container or host networking, this should be disabled to prevent the server from being used as a router in network attacks.
Fix: If Docker requires it, this is expected - no action needed.
If Docker is not in use: sudo sysctl -w net.ipv4.ip_forward=0
----------------------------------------------------------------------
OS STATUS
----------------------------------------------------------------------
Packages installed: 927
Upgradable: 0 (security: 0)
Open ports: 22 (exposed: 12)
UFW: INACTIVE
fail2ban: INACTIVE
iptables rules: 13
----------------------------------------------------------------------
NETWORK SECURITY
----------------------------------------------------------------------
home.xamad.net: WAF=none
secshield.xamad.net: WAF=none
home.xamad.net: SSL=OK protocol=TLSv1.3
secshield.xamad.net: SSL=OK protocol=TLSv1.3
Exposed ports: 12 | Localhost-only: 10
======================================================================
Generated by SecShield — AI Security Analyst
======================================================================