Several issues were found during a code review of the documentation site (docs/). This issue tracks the necessary fixes.
1. /api/ai endpoint has no rate-limiting or input validation
docs/server/api/ai.post.ts is a public POST endpoint with no authentication, no rate-limiting, and no input size validation. This allows anyone to exhaust the DeepSeek API budget by sending unlimited requests.
Fix applied (ru-docs branch):
- Rate-limit: 20 requests/minute per IP
- Reject requests with
messages.length > 30
- Sanitize
currentPage before injecting into the AI system prompt (prompt injection vector)
2. Security headers missing on /api/** routes
No Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, or Referrer-Policy headers are set for API routes in routeRules.
Fix applied: Added X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin for /api/**.
3. MCP flag should be env-based, not hardcoded
mcp.enabled was hardcoded to false. Since MCP is an eng-only feature, it should be controlled via an environment variable so the English deployment can enable it without code changes.
Fix applied: enabled: process.env.NUXT_MCP_ENABLED === 'true'
Set NUXT_MCP_ENABLED=true in the English deployment environment.
.env.example updated accordingly.
4. Minor: typo in runtimeConfig comment
// @depricate → // @deprecated
Several issues were found during a code review of the documentation site (
docs/). This issue tracks the necessary fixes.1.
/api/aiendpoint has no rate-limiting or input validationdocs/server/api/ai.post.tsis a public POST endpoint with no authentication, no rate-limiting, and no input size validation. This allows anyone to exhaust the DeepSeek API budget by sending unlimited requests.Fix applied (ru-docs branch):
messages.length > 30currentPagebefore injecting into the AI system prompt (prompt injection vector)2. Security headers missing on
/api/**routesNo
Content-Security-Policy,X-Frame-Options,X-Content-Type-Options, orReferrer-Policyheaders are set for API routes inrouteRules.Fix applied: Added
X-Content-Type-Options: nosniff,X-Frame-Options: DENY,Referrer-Policy: strict-origin-when-cross-originfor/api/**.3. MCP flag should be env-based, not hardcoded
mcp.enabledwas hardcoded tofalse. Since MCP is an eng-only feature, it should be controlled via an environment variable so the English deployment can enable it without code changes.Fix applied:
enabled: process.env.NUXT_MCP_ENABLED === 'true'Set
NUXT_MCP_ENABLED=truein the English deployment environment..env.exampleupdated accordingly.4. Minor: typo in
runtimeConfigcomment// @depricate→// @deprecated