Raxx · internal docs

internal · gated ↑ index

Public surface security sweep — 2026-04-25

Trigger: Operator-requested sweep. Kristerpher reported "lots of traffic" and asked for an inventory of what is publicly reachable and whether any of it should be auth-gated. Sweep start: 2026-04-25T11:40:00Z (UTC) Sweep end: 2026-04-25T12:15:00Z (UTC) Method: Unauthenticated HTTP probes (curl), source-code review, git history check, search-engine indexing check (site: queries), GitHub repo visibility check.

Executive summary

1 CRITICAL, 1 HIGH, 1 MEDIUM filed. Key finding: a file containing live Alpaca trading credentials (backend/.apisecretes) is sitting on the operator workstation — untracked, not gitignored, one git add . away from being committed to GitHub. Revoke those keys immediately. Separately, the Heroku direct-to-origin bypass on staging (tracked as #252) is actively exploitable — confirmed reachable with full unauthenticated API response. Production JS bundle serves a full source map anonymously. All CF Access-gated surfaces are correctly gated.

Immediate action required: Revoke backend/.apisecretes credentials via Alpaca dashboard. See #377.

Surface inventory

Surfaces probed

Surface URL Expected posture Observed Pass/Fail
Antlers (prod) https://raxx.app Public SPA HTTP 200, React SPA PASS (public, intended)
Marketing https://getraxx.com Public DNS NXDOMAIN — domain not resolving NOTE
Raptor prod (CF) https://api.raxx.app CF Access gated HTTP 302 → moosequest.cloudflareaccess.com PASS
Raptor staging (CF) https://api-staging.raxx.app CF Access gated HTTP 302 → moosequest.cloudflareaccess.com PASS
Console (CF) https://console.raxx.app CF Access gated HTTP 302 → moosequest.cloudflareaccess.com PASS
Vault (CF) https://vault.raxx.app CF Access gated HTTP 302 → moosequest.cloudflareaccess.com PASS
Antlers preview https://raxx-app.pages.dev CF Access gated HTTP 302 → moosequest.cloudflareaccess.com PASS
Mockups preview https://raxx-mockups.pages.dev CF Access gated HTTP 302 → moosequest.cloudflareaccess.com PASS
Raptor staging (Heroku direct) https://raxx-api-staging-1a19fb3873b9.herokuapp.com Should block (missing middleware) HTTP 200 — full API responses returned FAIL
Raptor prod (Heroku direct) https://raxx-api-prod-a60a19e5efbf.herokuapp.com Should block (missing middleware) HTTP 502 (prod not running) NOTE

Paths probed on raxx.app (public SPA)

All sensitive paths (/.env, /.git/config, /.git/HEAD, /config.json, /docker-compose.yml, /admin, /swagger, /docs) return HTTP 200 with the React SPA index.html — this is the standard SPA catch-all behavior (Cloudflare Pages serves index.html for all unmatched paths). Confirmed: actual file content is the React app shell, not real env files or git objects. No real data leakage at these paths.

/robots.txt returns User-agent: * / Disallow: — the wildcard allow means all paths are crawlable. No sensitive paths are being inadvertently blocked or disclosed.

/manifest.json returns default CRA boilerplate (see MEDIUM finding below).

Endpoints confirmed reachable via Heroku direct URL (bypassing CF Access)

All tested on raxx-api-staging-1a19fb3873b9.herokuapp.com — all return HTTP 200 anonymously:

Endpoint Returns
/ {"status":"ok"}
/api/system/status Full system detail: kernel version, Ubuntu patch level, app version 1.10.0, uptime (10d 13h), CPU/memory/disk metrics, cache keys + TTLs, missing env var names
/api/trading/account Paper account structure: account_number, buying_power, cash, equity, portfolio_value, margin figures, daytrade_count, fallback_reason, missing env var list
/api/trading/positions Full mock position list: symbol, qty, avg_entry_price, market_value, unrealized P&L, asset_id
/api/trading/orders Full mock order list: order_id, symbol, side, qty, status, filled_avg_price, timestamps
/api/symbols Symbol list (25 symbols, with exchange and type)
/api/notifications System notifications list
/api/settings Application settings including tradingMode, defaultSymbol, chartSettings
/api/compare-quotes?symbol=AAPL Market quote data
/health {"status":"ok"}

Middleware check: backend_v2/api/middleware/ contains no Cloudflare header check. Issue #252 (CF-Connecting-IP enforcement) is confirmed unimplemented.

Search engine indexing

site:raxx.app, site:console.raxx.app, site:vault.raxx.app, site:api.raxx.app, site:getraxx.com — all returned zero results. No indexed paths found in search engines.

GitHub repository visibility

MooseQuest/TradeMasterAPI — confirmed private. Repo has not been made public.

Heroku metrics/diagnostics endpoints

/_metrics, /metrics, /__health on staging direct URL — all return HTTP 404. No exposed Heroku metrics endpoints.

Findings

CRITICAL

CRIT-1 — Live Alpaca trading credentials in un-gitignored file on operator workstation (filed #377)

Surface: Operator workstation / repository root Tool: Manual — git status output showed ?? backend/.apisecretes

Finding. File backend/.apisecretes contains two sets of Alpaca credentials: one with key prefix AK and BASE_URL=https://api.alpaca.markets (live trading endpoint), and one with key prefix PK (paper trading). Neither set is in git history. The file is not covered by any .gitignore pattern (git check-ignore returns exit code 1; .gitignore covers .env, .env.*, and specific secret extensions but not .apisecretes).

Risk. A single git add . or git add backend/ commits live trading credentials to GitHub where they would be searchable and immediately usable to place live orders, access account balances, and potentially move funds. The file has been on disk since 2023-03-17 per mtime; key material may still be active.

Remediation. 1. Operator action now: revoke the AK-prefixed key via Alpaca dashboard. Rotate the PK-prefixed key. 2. Add backend/.apisecretes or *.apisecretes to .gitignore (feature-developer, one-line change). 3. After rotation, delete or zero out the file. 4. Run gitleaks detect --source=. --report-format=json after cleanup to confirm no history entry.

Routing: Credential revocation → operator. gitignore fix → feature-developer. Rotation confirmation → sre-agent.

HIGH

HIGH-1 — Heroku direct-to-origin bypass: full API accessible without CF Access (existing #252 — verified active)

Surface: raxx-api-staging-1a19fb3873b9.herokuapp.com Status: Previously filed as #252 (2026-04-24, severity:high). This sweep confirms it is actively exploitable. #252 updated to ready-for-dev and verification comment added.

Finding. All API endpoints on staging are reachable via the Heroku canonical URL with zero authentication. CF Access on api-staging.raxx.app (correctly) blocks anonymous access, but Heroku's *.herokuapp.com URL bypasses CF Access entirely. No CF-Connecting-IP middleware exists in backend_v2/api/middleware/ (confirmed by source code search).

Confirmed accessible anonymously: /api/system/status (full system fingerprint), /api/trading/account (account structure + missing env var list), /api/trading/positions, /api/trading/orders, /api/symbols, /api/notifications, /api/settings, /api/compare-quotes.

Risk. Anyone who discovers or guesses the Heroku URL can: - Enumerate all API endpoints and response structures without auth - Determine exact env vars that are missing (aids credential-stuffing + env-injection attacks) - Retrieve system fingerprint (kernel version, patch level, OS, app version) for CVE targeting - When Alpaca credentials are pushed to staging (blocked by this gap per M4 in 2026-04-24 review), retrieve real paper account data

Elevated traffic reported by operator on 2026-04-25 is consistent with scanning activity against the Heroku URL. CF WAF rate limiting does not apply to direct Heroku hits.

Remediation. Implement CF-Connecting-IP header check in backend_v2/api/middleware/ per the scope in #252. Reject requests without this header (except /health for liveness probes). The fix is code, not infra — unblocked and ready.

Routing: Code fix → feature-developer. See #252.

HIGH-2 — Production JS source map publicly accessible — exposes full React source tree (filed #378)

Surface: https://raxx.app/static/js/main.2efb100a.js.map

Finding. The production React bundle at raxx.app includes a sourceMappingURL directive. The referenced .map file is publicly accessible (HTTP 200, anonymous). It contains 929 source files including the full un-minified source of all application JS: all component files, all API client files, featureFlags.js, sentryInit.js.

Exposed via source map: - All internal API endpoint patterns (/api/trading/account, /api/historical-data, /api/backtest, etc.) extractable from api/*.js files - Feature flag names (live_mode_ring, options_chain) and the baked-in value REACT_APP_FLAGS=live_mode_ring,options_chain - Sentry telemetry configuration structure and all env var names used - Internal component hierarchy and error-handling paths

No hardcoded secrets or live credentials found in source map content. Risk is reconnaissance, not direct exploitation.

Remediation. Set GENERATE_SOURCEMAP=false in Cloudflare Pages build environment. Long-term: upload source maps to Sentry at build time via sentry-cli upload-sourcemaps and exclude from public bundle.

Routing: Code fix → feature-developer (Antlers/frontend).

MEDIUM

MED-1 — raxx.app manifest.json reveals CRA boilerplate app identity (filed #379)

Surface: https://raxx.app/manifest.json

Finding. Returns default Create React App boilerplate (name: Create React App Sample, short_name: React App). Also: index.html title is TradeMaster API - Algorithmic Trading Platform — discloses both the product name and its function. Both confirm CRA/React stack to any visitor.

Risk. Technology stack confirmation. Minor on its own; compounds with source map exposure (#378) and system/status fingerprinting to build a complete attack profile.

Remediation. Update frontend/trademaster_ui/public/manifest.json name and short_name to Raxx brand. Update index.html title to drop the technology-tier disclosure.

Routing: Code fix → feature-developer (Antlers/frontend).

LOW (batched — no issues filed)

ID Surface Finding Remediation pointer
L-1 raxx.app robots.txt Disallow: is empty — all paths are crawlable. No sensitive paths are inadvertently exposed (SPA catch-all serves index.html for all paths), but this allows search engines to crawl indefinitely. Consider adding Disallow: /static/js/*.map once source maps are removed, or a blanket Disallow: /api/ for the API subdomain. feature-developer
L-2 raxx.app Page title and meta description say "TradeMaster API - A powerful platform for algorithmic trading and backtesting" — discloses technology tier publicly in the HTML head visible to scrapers. feature-developer
L-3 getraxx.com Domain is not resolving (DNS NXDOMAIN). If this is an intentional redirect target for marketing, the domain should either be parked with a redirect or have DNS set up. If it is not in use, verify no typosquatting risk. operator
L-4 raxx-api-prod-a60a19e5efbf.herokuapp.com Returns HTTP 502 (no running dyno on prod). This confirms the prod Heroku URL is known/enumerable. Once production is live, this needs the same CF-Connecting-IP middleware as staging. sre-agent (same scope as #252)
L-5 raxx.app CF Access is not gating raxx.app — it is intentionally public. Confirm robots.txt and sitemap.xml are current before any marketing campaign drives significant traffic. operator

INFO (no issues filed)

ID Note
I-1 All CF Access-gated surfaces confirmed gated: api.raxx.app, api-staging.raxx.app, console.raxx.app, vault.raxx.app, raxx-app.pages.dev, raxx-mockups.pages.dev — all return HTTP 302 to moosequest.cloudflareaccess.com for anonymous requests.
I-2 GitHub repo MooseQuest/TradeMasterAPI confirmed private.
I-3 No search engine indexing found for any *.raxx.app domain.
I-4 No Heroku metrics/diagnostics endpoints exposed (/_metrics, /metrics all 404).
I-5 No secrets found in raxx.app source map content (env vars are runtime-injected, not baked in).
I-6 raxx.app sensitive path probes (/.env, /.git/config, /config.json, /docker-compose.yml) all return HTTP 200 with the SPA index.html — no actual file leakage. CF Pages catch-all is working as expected.

Issue summary

# Severity Title Status
#377 CRITICAL Live Alpaca trading credentials in un-gitignored file backend/.apisecretes New — filed this sweep
#378 HIGH Production source map publicly served at raxx.app New — filed this sweep
#252 HIGH Block direct-to-Heroku access (CF-Connecting-IP middleware) Existing — verified active, updated to ready-for-dev
#379 MEDIUM raxx.app manifest.json reveals CRA boilerplate New — filed this sweep

Total new issues filed: 3 (#377 CRITICAL, #378 HIGH, #379 MEDIUM) Existing issues updated: 1 (#252 — verified active, labels updated)

On the elevated traffic

The operator's "lots of traffic" observation is consistent with two possible sources:

  1. Automated scanning of the Heroku direct URL. The URL raxx-api-staging-1a19fb3873b9.herokuapp.com is referenced in plain text in .github/workflows/deploy.yml in the (private) repo, but could also be discovered by Shodan-style Heroku scanning. Since it bypasses CF WAF + CF Access, any scanner hitting it goes directly to the Heroku dyno and is counted in Heroku metrics.

  2. Cloudflare Bot Management traffic on raxx.app. The public SPA at raxx.app has no bot protection (no Disallow: in robots.txt, no Cloudflare Bot Fight Mode confirmed). Crawlers indexing the SPA are common and visible in traffic metrics.

Recommendation: implement #252 (CF-Connecting-IP middleware) immediately. This both closes the bypass and will reduce dyno utilization from scanner traffic.

What this sweep did NOT check