Security Findings - MEDIUM (batch)
Source: Security audit (2026-02-24)
Finding 6: Server Binds to 0.0.0.0 by Default
- Location:
crates/terraphim-api/src/lib.rs:17
- Fix: Default to
127.0.0.1, allow override via API_HOST env var
Finding 7: Integer Truncation in Patient Age
- Location:
crates/terraphim-api/src/service.rs:302
profile.age as u8 truncates u32 silently (300 -> 44)- Fix: Validate age 0-150, return 400 for out-of-range
Finding 8: Debug Logging of Patient Clinical Data (PHI)
- Location:
crates/terraphim-api/src/routes/mod.rs:91-93
- Patient age, sex, diagnoses logged at debug level
- Fix: Never log PHI, use anonymized identifiers
Finding 9: WebSocket No Connection Limits
- Location:
crates/terraphim-api/src/routes/mod.rs:301-384
- No connection limits, auth, idle timeout, or backpressure
- Fix: Add semaphore for concurrent workflows, add auth + timeouts
Finding 11: Grafana Default Admin Password
- Location:
docker/docker-compose.yml:113
GF_SECURITY_ADMIN_PASSWORD defaults to admin- Fix: Remove default, fail if not set
Security Findings - MEDIUM (batch)
Source: Security audit (2026-02-24)
Finding 6: Server Binds to 0.0.0.0 by Default
crates/terraphim-api/src/lib.rs:17127.0.0.1, allow override viaAPI_HOSTenv varFinding 7: Integer Truncation in Patient Age
crates/terraphim-api/src/service.rs:302profile.age as u8truncates u32 silently (300 -> 44)Finding 8: Debug Logging of Patient Clinical Data (PHI)
crates/terraphim-api/src/routes/mod.rs:91-93Finding 9: WebSocket No Connection Limits
crates/terraphim-api/src/routes/mod.rs:301-384Finding 11: Grafana Default Admin Password
docker/docker-compose.yml:113GF_SECURITY_ADMIN_PASSWORDdefaults toadmin