From cc0ce21de3842de5fb414b45d639d6d29b07c44b Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Sat, 30 May 2026 17:51:08 +0000
Subject: [PATCH] fix(dashboard): remove CORS wildcard from /api/pulse
 (PILOT-300)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The /api/pulse endpoint returned Access-Control-Allow-Origin: *
with no authentication, allowing any external website to poll
the registry's real-time request count and pulse samples via
cross-origin fetch.  This leaks a server-load fingerprint
(peak request rates, busy windows) to any attacker-controlled
page the dashboard operator visits.

Fix: drop the permissive CORS header from this endpoint.  Same-
origin requests (the dashboard JS that consumes /api/pulse)
are unaffected — CORS is only relevant for cross-origin fetches.
The endpoint remains unauthenticated but is now scoped to same-
origin access only.

Closes PILOT-300
---
 dashboard/dashboard.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/dashboard/dashboard.go b/dashboard/dashboard.go
index 3c63687..d89e0a8 100644
--- a/dashboard/dashboard.go
+++ b/dashboard/dashboard.go
@@ -542,7 +542,6 @@ func (h *Handler) Serve(addr string) error {
 
 	mux.HandleFunc("/api/pulse", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		w.Header().Set("Access-Control-Allow-Origin", "*")
 		_ = json.NewEncoder(w).Encode(map[string]interface{}{
 			"ts":             time.Now().UnixMilli(),
 			"total_requests": h.cb.RequestCount(),