diff --git a/apps/be9700-api/metadata/description.md b/apps/be9700-api/metadata/description.md index b5eb036..c402d82 100644 --- a/apps/be9700-api/metadata/description.md +++ b/apps/be9700-api/metadata/description.md @@ -25,9 +25,11 @@ Every request to `/api/*` must carry: | `X-Router-Password` | Router admin password (for fresh sessions) | | `X-Router-Session` | Reuse a session token returned by a previous call (JSON) | -This means the container itself holds no secrets and is safe to expose via -Traefik without any additional auth middleware — just use the API from clients -that supply the headers. +The container holds no stored secrets, but the `/api/*` surface controls your +router and CORS is open — anyone who can reach the service and supply a valid +router password can change router settings. Keep this app LAN-only unless you +place an auth middleware (e.g. Traefik forward-auth / Authentik) in front of it +before exposing it to the internet. ## Quick start