WhatsNext is designed for trusted internal environments (lab networks, private clusters). It is not hardened for public internet exposure.
Email the maintainers directly or use GitHub's "Report a vulnerability" feature. Do not open public issues for security bugs.
- Optional API key authentication via
X-API-Keyheader - Constant-time comparison to prevent timing attacks
- Multiple keys supported (comma-separated in config)
# .env
api_keys=key1,key2,key3If api_keys is unset, authentication is disabled (logged as warning). Generate keys with openssl rand -base64 32.
- Per-IP sliding window rate limiting
- Configurable via
rate_limit_per_minute(0 = disabled) - Returns
Retry-Afterheader on limit
State is in-memory per process. For multi-worker or distributed deployments, use a reverse proxy or Redis.
- Pydantic schema validation on all inputs
- Status enum validation
- Pagination capped at 1000 items
- SQLAlchemy ORM only (no raw SQL)
Configurable via cors_origins. Default is * (all origins). Credentials auto-disabled with wildcard.
-
No HTTPS by default - Deploy behind a TLS-terminating reverse proxy (nginx, Caddy).
-
X-Forwarded-For trust - Rate limiting can be bypassed by header spoofing. Only deploy behind trusted proxies.
-
Auth disabled by default - Always set
api_keysin production.
-
No RBAC - All authenticated clients have equal access to all projects.
-
No request signing - API keys can be intercepted. Use HTTPS.
-
Client uses HTTP only - Manually use
https://URLs until SSL parameter is added.
-
OpenAPI docs public -
/docsand/redocbypass auth. Disable in production or protect at proxy level. -
No audit logging - No persistent log of auth attempts or operations.
-
Secrets in env vars - Use a secrets manager in production.
# .env
api_keys=<key1>,<key2>
rate_limit_per_minute=100
cors_origins=https://your-app.com- Deploy behind HTTPS reverse proxy
- Restrict database access via firewall
- Use secrets manager for credentials
- Enable database SSL
- Set up monitoring and log aggregation