[SECURITY] S6 — Flask API exposed on 0.0.0.0:5050 with no authentication #13
Description
Summary
Flask REST API bound to 0.0.0.0:5050 with no authentication. Anyone on the local network (or internet if port forwarded) can read trade history and potentially trigger API actions.
Risk
HIGH — Exposes trading activity, positions, P&L data without any access control.
Location
# main.py:33
app.run(host='0.0.0.0', port=5050)Fix
Option A — Bind to localhost only:
app.run(host='127.0.0.1', port=5050)Option B — Add API key authentication:
from functools import wraps
API_KEY = os.environ.get('ELVIS_API_KEY')
def require_api_key(f):
@wraps(f)
def decorated(*args, **kwargs):
key = request.headers.get('X-API-Key')
if key != API_KEY:
return jsonify({'error': 'Unauthorized'}), 401
return f(*args, **kwargs)
return decoratedSprint
Sprint 1 — Story 1.2 (Security Hardening)
Found by PM agent audit — Feb 17, 2026