mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-06-12 08:51:53 +00:00
a04854800f
Two security hardening changes for the API server: 1. **Startup warning when no API key is configured.** When `API_SERVER_KEY` is not set, all endpoints accept unauthenticated requests. This is the default configuration, but operators may not realize the security implications. A prominent warning at startup makes the risk visible. 2. **Require authentication for session continuation.** The `X-Hermes-Session-Id` header allows callers to load and continue any session stored in state.db. Without authentication, an attacker who can reach the API server (e.g. via CORS from a malicious page, or on a shared host) could enumerate session IDs and read conversation history — which may contain API keys, passwords, code, or other sensitive data shared with the agent. Session continuation now returns 403 when no API key is configured, with a clear error message explaining how to enable the feature. When a key IS configured, the existing Bearer token check already gates access. This is defense-in-depth: the API server is intended for local use, but defense against cross-origin and shared-host attacks is important since the default binding is 127.0.0.1 which is reachable from browsers via DNS rebinding or localhost CORS. |
||
|---|---|---|
| .. | ||
| builtin_hooks | ||
| platforms | ||
| __init__.py | ||
| channel_directory.py | ||
| config.py | ||
| delivery.py | ||
| hooks.py | ||
| mirror.py | ||
| pairing.py | ||
| run.py | ||
| session.py | ||
| status.py | ||
| sticker_cache.py | ||
| stream_consumer.py | ||