1. Path traversal in /api/v1/media/ — use path.resolve() and verify
resolved path stays within media base directory
2. DoS via unlimited POST body — add 10MB size limit to parseBody()
3. Default no-auth — reject all requests when httpApiToken is not
configured instead of silently allowing everything
4. Overly permissive CORS — restrict Access-Control-Allow-Origin from
wildcard (*) to localhost/127.0.0.1 only
5. Timing attack on token comparison — use crypto.timingSafeEqual()
instead of === for token verification
6. Unsafe default bind address — revert httpApiHost default from
0.0.0.0 back to 127.0.0.1 to prevent network exposure
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
62395b275d