The health endpoint publicly returns the model and detector names (Facenet512, mtcnn), disclosing the ML stack.
Evidence: app/api/routes/health.py:42-43 (model=settings.FACE_RECOGNITION_MODEL, detector=settings.FACE_DETECTION_BACKEND) and :249 (detailed response includes face_detection_backend/face_recognition_model).
Note: biometric-processor has no public route (Docker-internal, API-key-gated), so exposure is bounded — but the basic /health should still return only {status}; keep stack details on an auth-gated detailed endpoint.
Source: SECURITY_FINDINGS_2026-06-01 §1, re-verified on HEAD 2026-06-13.
The health endpoint publicly returns the model and detector names (
Facenet512,mtcnn), disclosing the ML stack.Evidence:
app/api/routes/health.py:42-43(model=settings.FACE_RECOGNITION_MODEL,detector=settings.FACE_DETECTION_BACKEND) and:249(detailed response includesface_detection_backend/face_recognition_model).Note: biometric-processor has no public route (Docker-internal, API-key-gated), so exposure is bounded — but the basic
/healthshould still return only{status}; keep stack details on an auth-gated detailed endpoint.Source: SECURITY_FINDINGS_2026-06-01 §1, re-verified on HEAD 2026-06-13.