Summary
The cyber API exposes a generic unauthenticated proxy to Cloudflare Radar endpoints. Any caller can drive server-side requests against arbitrary /radar/* paths using the server-held bearer token.
Evidence
Why this matters
- The route turns the server into a bearer-authenticated proxy for a third-party API.
- Anonymous callers can consume provider quota and access any Radar endpoint path the token allows.
- This creates abuse and cost exposure while obscuring which requests are first-party versus opportunistic public use.
Attack or failure scenario
A public client or scraper repeatedly calls arbitrary /api/cyber/radar/... paths with different query parameters. The server forwards each request with its own Cloudflare Radar token, effectively donating authenticated API access to any caller.
Root cause
The route is implemented as a convenience pass-through instead of a minimal, explicit backend contract.
Recommended fix
- Replace the generic proxy with explicit allowlisted endpoints.
- Add authentication, per-route quotas, or both.
- Bound query parameters and cache keys to supported use cases.
- Add telemetry for provider-token usage and abuse detection.
Acceptance criteria
- Public callers cannot drive arbitrary Cloudflare Radar endpoint paths through the server.
- Only documented, allowlisted cyber metrics are exposed.
- Provider-token usage is rate-limited and observable.
Suggested labels
- security
- architecture
- production-readiness
Severity
High — the route exposes a server-held bearer token through a generic public proxy surface.
Confidence
Confirmed — the route forwards arbitrary Radar paths and the backend injects the bearer token server-side.
Summary
The cyber API exposes a generic unauthenticated proxy to Cloudflare Radar endpoints. Any caller can drive server-side requests against arbitrary
/radar/*paths using the server-held bearer token.Evidence
server/src/routes/cyber.ts#L6-L28forwards any/api/cyber/radar/*path tofetchCloudflareRadar().server/src/core/source/cloudflare.ts#L11-L46injectsAuthorization: Bearer ${token}fromCLOUDFLARE_RADAR_TOKENand caches responses in memory.Why this matters
Attack or failure scenario
A public client or scraper repeatedly calls arbitrary
/api/cyber/radar/...paths with different query parameters. The server forwards each request with its own Cloudflare Radar token, effectively donating authenticated API access to any caller.Root cause
The route is implemented as a convenience pass-through instead of a minimal, explicit backend contract.
Recommended fix
Acceptance criteria
Suggested labels
Severity
High — the route exposes a server-held bearer token through a generic public proxy surface.
Confidence
Confirmed — the route forwards arbitrary Radar paths and the backend injects the bearer token server-side.