Mining/AUDIT-SECRETS.md

# Security Audit: Secrets & Configuration

This document outlines the findings of a security audit focused on exposed secrets and insecure configurations.

## 1. Secret Detection

### 1.1. Hardcoded Credentials & Sensitive Information

- **Placeholder Wallet Addresses:**
  - `miner/core/src/config.json`: Contains the placeholder `"YOUR_WALLET_ADDRESS"`.
  - `miner/proxy/src/config.json`: Contains the placeholder `"YOUR_WALLET"`.
  - `miner/core/doc/api/1/config.json`: Contains a hardcoded wallet address.

- **Default Passwords:**
  - `miner/core/src/config.json`: The `"pass"` field is set to `"x"`.
  - `miner/proxy/src/config.json`: The `"pass"` field is set to `"x"`.
  - `miner/core/doc/api/1/config.json`: The `"pass"` field is set to `"x"`.

- **Placeholder API Tokens:**
  - `miner/core/doc/api/1/config.json`: The `"access-token"` is set to the placeholder `"TOKEN"`.

## 2. Configuration Security

### 2.1. Insecure Default Configurations

- **`null` API Access Tokens:**
  - `miner/core/src/config.json`: The `http.access-token` is `null` by default. If the HTTP API is enabled without setting a token, it could allow unauthorized access.
  - `miner/proxy/src/config.json`: The `http.access-token` is `null` by default, posing a similar risk.

- **TLS Disabled by Default:**
  - `miner/core/src/config.json`: The `tls.enabled` flag is `false` by default. If services are exposed, communication would be unencrypted.
  - `miner/proxy/src/config.json`: While `tls.enabled` is `true`, the `cert` and `cert_key` fields are `null`, preventing a secure TLS connection from being established.

### 2.2. Verbose Error Messages

No instances of overly verbose error messages leaking sensitive information were identified during this audit.

### 2.3. CORS Policy

The CORS policy could not be audited as it was not explicitly defined in the scanned files.

### 2.4. Security Headers

No security headers (e.g., CSP, HSTS) were identified in the configuration files.