Skip to content

Security: GET /health leaks the ML stack (Facenet512 / mtcnn) — trim to minimal status #152

Description

@ahmetabdullahgultekin

The health endpoint publicly returns the model and detector names (Facenet512, mtcnn), disclosing the ML stack.

Evidence: app/api/routes/health.py:42-43 (model=settings.FACE_RECOGNITION_MODEL, detector=settings.FACE_DETECTION_BACKEND) and :249 (detailed response includes face_detection_backend/face_recognition_model).

Note: biometric-processor has no public route (Docker-internal, API-key-gated), so exposure is bounded — but the basic /health should still return only {status}; keep stack details on an auth-gated detailed endpoint.

Source: SECURITY_FINDINGS_2026-06-01 §1, re-verified on HEAD 2026-06-13.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity-sensitive correctness or hardeningsurface/biobiometric-processor (FastAPI/Python)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions