Add CT 101 Caddy security audit findings

Browse source

CRITICAL: RECON backends (8420, 8440) accept direct LAN/Tailscale
connections and trust X-Authentik-Username header unconditionally.
Verified exploitation: contacts read, API keys added via spoofed header.

Root cause: No firewall on RECON VM, services bind 0.0.0.0.
Caddy forward_auth is NOT bypassed - direct backend access is the vector.

P0 remediation: Firewall RECON to accept only from CT 101.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

...

This commit is contained in:

Matt 2026-04-26 01:40:45 +00:00

parent 95fdac5ce3

commit 5afbbdcf4a

1 changed files with 478 additions and 758 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download patch file Download diff file Expand all files Collapse all files

1260

AUTH-PUBLIC-FRONTEND.md

View file

File diff suppressed because it is too large Load diff