Problem
The out-of-the-box configuration is insecure: the server binds to all interfaces (0.0.0.0) while authentication is disabled unless MT5API_SECRET_KEY is set. A default python -m mt5api run therefore exposes trading-account data and terminal control to the whole network segment, with no warning at startup.
Evidence
mt5api/constants.py:27: DEFAULT_API_HOST = "0.0.0.0" # noqa: S104 — the bandit warning for binding all interfaces is explicitly suppressed rather than addressed.
mt5api/auth.py:17,30-32 + mt5api/config.py:116-122: auth is enabled only when MT5API_SECRET_KEY is set; otherwise verify_api_key allows every request.
- README /
docs/index.md:45 / docs/api/rest-api.md:31 present the key as "Optional: omit to disable auth" and even show uvicorn mt5api.main:app --host 0.0.0.0 as the copy-paste run command, without warning about the combination.
- Unauthenticated surface includes
GET /account (balance/equity), POST /order/check, and notably POST /connection/login (mt5api/routers/connection.py), which lets any network client re-point the running terminal at attacker-supplied credentials or brute-force account logins through the terminal.
- The "Security Checklist" in
docs/api/rest-api.md:325-334 covers HTTPS/rate limiting but never mentions host binding or that /connection/login is exposed when auth is off.
Impact
On a typical deployment (Windows desktop running a logged-in MT5 terminal on an office/home LAN), anyone on the network can read account financials and hijack the terminal session. The failure mode is silent — nothing in logs indicates the API is running wide open.
Suggested fix
Defense-in-depth for defaults, without breaking intentional deployments:
- Change
DEFAULT_API_HOST to 127.0.0.1; require an explicit MT5API_HOST=0.0.0.0 (documented) to expose the API beyond loopback.
- Log a prominent startup warning when auth is disabled, and consider refusing to start (or requiring an explicit opt-out env var) when auth is disabled and the bind address is non-loopback.
- Update README /
docs/api/rest-api.md security checklist accordingly (bind address guidance; call out /connection/login exposure).
Validation
- Unit tests for the new default host and the warning/guard path.
- Manual:
python -m mt5api with no env vars binds to 127.0.0.1:8000; setting MT5API_HOST=0.0.0.0 without a secret key produces the documented warning/refusal.
Problem
The out-of-the-box configuration is insecure: the server binds to all interfaces (
0.0.0.0) while authentication is disabled unlessMT5API_SECRET_KEYis set. A defaultpython -m mt5apirun therefore exposes trading-account data and terminal control to the whole network segment, with no warning at startup.Evidence
mt5api/constants.py:27:DEFAULT_API_HOST = "0.0.0.0" # noqa: S104— the bandit warning for binding all interfaces is explicitly suppressed rather than addressed.mt5api/auth.py:17,30-32+mt5api/config.py:116-122: auth is enabled only whenMT5API_SECRET_KEYis set; otherwiseverify_api_keyallows every request.docs/index.md:45/docs/api/rest-api.md:31present the key as "Optional: omit to disable auth" and even showuvicorn mt5api.main:app --host 0.0.0.0as the copy-paste run command, without warning about the combination.GET /account(balance/equity),POST /order/check, and notablyPOST /connection/login(mt5api/routers/connection.py), which lets any network client re-point the running terminal at attacker-supplied credentials or brute-force account logins through the terminal.docs/api/rest-api.md:325-334covers HTTPS/rate limiting but never mentions host binding or that/connection/loginis exposed when auth is off.Impact
On a typical deployment (Windows desktop running a logged-in MT5 terminal on an office/home LAN), anyone on the network can read account financials and hijack the terminal session. The failure mode is silent — nothing in logs indicates the API is running wide open.
Suggested fix
Defense-in-depth for defaults, without breaking intentional deployments:
DEFAULT_API_HOSTto127.0.0.1; require an explicitMT5API_HOST=0.0.0.0(documented) to expose the API beyond loopback.docs/api/rest-api.mdsecurity checklist accordingly (bind address guidance; call out/connection/loginexposure).Validation
python -m mt5apiwith no env vars binds to127.0.0.1:8000; settingMT5API_HOST=0.0.0.0without a secret key produces the documented warning/refusal.