jake/clawdbot-workspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
clawdbot-workspace/pentest-realwave/REPORT.md

515 lines
22 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 🔒 Security Audit Report: realwave.com
**Date:** February 7, 2026
**Auditor:** Clawdbot Pentest Subagent
**Target:** https://www.realwave.com/
**Authorization:** Fully authorized by site owner (Jake Shore)
**Scope:** Full external pentest — reconnaissance, HTTP headers, CORS, SSL/TLS, auth, API discovery, client-side, information disclosure, third-party risk, infrastructure
---
## 1. Executive Summary
RealWave AI (www.realwave.com) is an Angular-based SPA running on **Microsoft IIS 10.0** with an **ASP.NET** backend, using **Firebase** for authentication and **SignalR** for real-time communication. The site uses **Go High Level (GHL)** as a CRM/marketing platform and integrates with **Closebot** AI agents.
### Critical Findings Overview
| Severity | Count | Summary |
|----------|-------|---------|
| **CRITICAL** | 0 | — |
| **HIGH** | 3 | Missing security headers (CSP, HSTS, X-Frame-Options), server/tech fingerprinting, exposed sensitive identifiers |
| **MEDIUM** | 5 | Wildcard CORS on link subdomain, missing SRI on external scripts, Firebase config in client JS, verbose console logging, exposed webhook URL |
| **LOW** | 4 | X-Powered-By header exposed, no sitemap.xml, IIS default error pages, no security.txt |
| **INFO** | 4 | Tech stack details, subdomain mapping, DNS records, SPA catch-all behavior |
**Overall Risk Rating: MEDIUM-HIGH** — The site lacks critical security headers, exposes server technology details, and has exploitable CORS configurations on subdomains. No data breaches or critical auth bypasses were found, but the attack surface is larger than necessary.
---
## 2. Tech Stack Identification
| Component | Technology | Evidence |
|-----------|-----------|----------|
| **Web Server** | Microsoft IIS 10.0 | `Server: Microsoft-IIS/10.0` header |
| **Backend** | ASP.NET (C#) | `X-Powered-By: ASP.NET` header, SignalR hubs |
| **Frontend** | Angular (v17+) | `data-critters-container`, `app-root` component, Angular module patterns in JS |
| **Auth** | Firebase Auth | Firebase config in main.js, Google sign-in |
| **Real-time** | SignalR | `/chatHub` and `/uiHub` endpoints |
| **CRM/Marketing** | Go High Level (GHL) | `link.realwave.com` → GHL, location ID `8jJylXIxcMrt2E2RW0hW` |
| **AI Platform** | Closebot | Agent library, persona system referenced |
| **CDN** | None (direct IP) | IP `162.43.207.214` directly exposed |
| **SSL** | Let's Encrypt (R13) | Wildcard cert `*.realwave.com`, expires April 21, 2026 |
| **DNS** | GoDaddy (ns55/ns56.domaincontrol.com) | NS records |
| **Email** | Microsoft 365 | MX → `realwave-com.mail.protection.outlook.com` |
| **Analytics** | Google Analytics 4 | Tag: `G-70DG95YYYQ` |
| **Hosting** | Custom/VPS | IP `162.43.207.214`, no CDN, Windows Server |
### Subdomains Discovered
| Subdomain | Points To | Service |
|-----------|-----------|---------|
| `www.realwave.com` | `162.43.207.214` | Main site (IIS) |
| `realwave.com` | `162.43.207.214` | Same (no www→www redirect on HTTPS) |
| `blog.realwave.com` | `162.43.207.214` | Static blog (IIS) |
| `api.realwave.com` | `162.43.207.214` (via CNAME) | Same as www (SPA catch-all) |
| `link.realwave.com` | GHL/LeadConnector | Go High Level CRM |
| `lc.realwave.com` | Cloudflare-protected | GHL (Cloudflare challenge) |
| `app.realwave.com` | `app.msgsndr.com``35.202.49.152` | GHL white-label app |
### DNS TXT Records of Interest
- `firebase=gpteam-37d0c` — Firebase project identifier
- `openai-domain-verification=dv-hIUwmeo0pVXRaekLaIHCjL4u` — OpenAI domain verification
- Dual SPF records (potential conflict): one for Outlook, one for Firebase
---
## 3. HTTP Security Headers Analysis
### Headers Present on `www.realwave.com`
| Header | Value | Status |
|--------|-------|--------|
| `Server` | `Microsoft-IIS/10.0` | ⚠️ Exposed |
| `X-Powered-By` | `ASP.NET` | ⚠️ Exposed |
| `Content-Type` | `text/html` | ✅ Present |
| `ETag` | Present | ✅ |
### **MISSING Security Headers**
| Header | Status | Impact |
|--------|--------|--------|
| **Content-Security-Policy** | ❌ MISSING | **HIGH** — No protection against XSS, script injection, data exfiltration |
| **Strict-Transport-Security** | ❌ MISSING | **HIGH** — No HSTS enforcement; vulnerable to SSL stripping (MITM) |
| **X-Frame-Options** | ❌ MISSING | **HIGH** — Vulnerable to clickjacking attacks |
| **X-Content-Type-Options** | ❌ MISSING | **MEDIUM** — Browser may MIME-sniff responses |
| **X-XSS-Protection** | ❌ MISSING | **LOW** — Legacy header, but still useful for older browsers |
| **Referrer-Policy** | ❌ MISSING | **MEDIUM** — May leak referrer data to third parties |
| **Permissions-Policy** | ❌ MISSING | **MEDIUM** — Browser features (camera, mic, etc.) not restricted |
| **Cross-Origin-Opener-Policy** | ❌ MISSING | **LOW** |
| **Cross-Origin-Resource-Policy** | ❌ MISSING | **LOW** |
### Comparison: `lc.realwave.com` (Cloudflare) has excellent headers:
-`x-content-type-options: nosniff`
-`referrer-policy: same-origin`
-`permissions-policy` (comprehensive)
-`cross-origin-embedder-policy: require-corp`
-`cross-origin-opener-policy: same-origin`
-`cross-origin-resource-policy: same-origin`
-`origin-agent-cluster: ?1`
This proves that proper headers are achievable — the main site simply hasn't been configured.
---
## 4. CORS Analysis
### www.realwave.com — Selective Origin Reflection with Credentials
| Test Origin | `Access-Control-Allow-Origin` | `Allow-Credentials` |
|-------------|-------------------------------|---------------------|
| `https://evil.com` | ❌ Not reflected | — |
| `https://realwave.com` | ✅ Reflected | `true` |
| `https://blog.realwave.com` | ✅ Reflected | `true` |
| `https://evil.realwave.com` | ❌ Not reflected | — |
| `https://realwave.com.evil.com` | ❌ Not reflected | — |
| `https://link.realwave.com` | ❌ Not reflected | — |
| `null` | ❌ Not reflected | — |
**Assessment:** The main site's CORS policy is **reasonably configured** — it only reflects known subdomains and doesn't reflect arbitrary origins. However, `Access-Control-Allow-Credentials: true` with reflected origins means any compromised subdomain can make authenticated cross-origin requests.
### ⚠️ link.realwave.com — WILDCARD CORS WITH FULL ACCESS
| Header | Value |
|--------|-------|
| `Access-Control-Allow-Origin` | `*` (wildcard) |
| `Access-Control-Allow-Methods` | `GET,HEAD,PUT,PATCH,POST,DELETE` |
| `Access-Control-Allow-Headers` | `Content-Type,Authorization` |
**Risk:** This is a **Go High Level** platform limitation, not your server config. The wildcard CORS allows ANY website to make API requests to `link.realwave.com`. Since `Authorization` is in allowed headers, if tokens are ever passed via this subdomain, they could be stolen. Since this is GHL's infrastructure, you can't directly fix it, but be aware.
### GHL Webhook — Wildcard CORS
`https://services.leadconnectorhq.com/hooks/...` also has `Access-Control-Allow-Origin: *`. This is GHL's choice.
---
## 5. Cookie/Session Analysis
| Finding | Detail |
|---------|--------|
| **Session Mechanism** | Firebase Auth (client-side tokens) + SignalR session tokens |
| **Cookies Set** | ❌ No cookies observed on initial page load |
| **Token Storage** | Tokens stored in browser (likely localStorage/sessionStorage via Firebase SDK) |
| **SignalR Auth** | Token-based via query parameter and headers |
**Note:** The Angular app uses Firebase for authentication. No traditional session cookies were observed — auth state is managed entirely client-side via Firebase SDK and passed to the ASP.NET backend via Bearer tokens. This is a modern approach but requires strict CSP to prevent token theft via XSS.
---
## 6. API/Endpoint Discovery
### Backend API Endpoints (discovered from main.js)
All require authentication (return 401 without token):
| Endpoint | Auth Required | Notes |
|----------|--------------|-------|
| `/api/Academy/AgentLibrary` | ✅ 401 | Agent library management |
| `/api/Academy/Lessons` | ✅ 401 | Lesson management |
| `/api/Academy/Personas` | ✅ 401 | AI persona management |
| `/api/Academy/Snapshots` | ✅ 401 | Snapshot management |
| `/api/Academy/Workflows` | ✅ 401 | Workflow management |
| `/api/admin/conversations` | ✅ 401 | Admin conversations |
| `/api/admin/locations` | SPA catch-all | Angular handles route |
| `/api/admin/notifications` | ✅ 401 | Admin notifications |
| `/api/audit-agent/projects` | ✅ 401 | Audit agent projects |
| `/api/audit-analytics` | ✅ 401 | Analytics |
| `/api/avatars/list` | ✅ 401 | Avatar listing |
| `/api/CloseBot` | SPA catch-all | Angular handles route |
| `/api/kb/projects` | SPA catch-all | Knowledge base |
| `/api/marketing/media-library` | ✅ 401 | Media library |
| `/api/marketing/projects` | ✅ 401 | Marketing projects |
| `/api/Notification` | ✅ 401 | Notifications |
| `/api/subscriptions/customers` | ✅ 401 | Customer data |
| `/api/subscriptions/products` | ✅ 401 | Product data |
| `/api/UserContent` | SPA catch-all | User content |
### SignalR Hubs
| Hub | Path | Auth |
|-----|------|------|
| ChatHub | `/chatHub/negotiate?uid={id}&negotiateVersion=1` | ✅ 401 |
| UIHub | `/uiHub/negotiate?uid={id}&negotiateVersion=1` | ✅ 401 |
**Positive:** All API endpoints properly return 401 without authentication. No unauthenticated data leaks.
### SPA Catch-All Behavior
The Angular SPA's URL rewriting causes ALL paths to return 200 with the index.html content (63,342 bytes). This means:
- `/.git/HEAD` → 200 (but returns SPA HTML, not git data)
- `/admin` → 200 (but returns SPA HTML)
- `/server-status` → 200 (but returns SPA HTML)
**This is NOT an actual exposure** — it's just the IIS URL rewrite rule serving the Angular app for all routes.
---
## 7. Client-Side Analysis
### Firebase Configuration Exposed in main.js
```
apiKey: "AIzaSyBdlwRi-iJImV0sdCE8gGxBpym4slvEgv8"
projectId: "gpteam-37d0c"
storageBucket: "gpteam-37d0c.appspot.com"
messagingSenderId: "625845939976"
appId: "1:625845939976:web:4ac6a8e7a5208fe1f786bd"
```
**Risk Level: MEDIUM** — Firebase API keys are designed to be public (client-side), but this information combined with the project ID could allow:
- Enumeration of Firebase Auth users (if sign-up is open)
- Abuse of Firebase services if Firestore/Storage security rules are misconfigured
- Cost amplification attacks if rate limiting is not configured
**Recommendation:** Ensure Firebase Security Rules are locked down, API key restrictions are set in Google Cloud Console (HTTP referrer restrictions), and Firebase App Check is enabled.
### GHL Location ID Exposed
The Go High Level location ID `8jJylXIxcMrt2E2RW0hW` appears in:
- Form widget URLs
- Webhook URLs
- JavaScript bundle
- API request patterns
This ID combined with the exposed webhook URL could allow:
- Spam submissions to the webhook
- Enumeration of GHL features
### Webhook URL Exposed
```
https://services.leadconnectorhq.com/hooks/8jJylXIxcMrt2E2RW0hW/webhook-trigger/TojDcSAx1jRu84taBZ9s
```
This webhook is publicly accessible and responds to requests (returns error for invalid payloads). An attacker could:
- Send crafted payloads to trigger workflows
- Potentially spam the CRM with fake data
### Console Logging in Production
The Angular app outputs **verbose debug logging** to the browser console:
- `[SignalRService] ctor: initializing connections with uid=-1 placeholders`
- `[SignalRService] Starting ChatHub to https://www.realwave.com/chatHub?uid=-1`
- `[SignalRService] ⚠️ NO SESSION TOKEN FOUND!`
- `Getting page title for route: /`
This reveals:
- Internal service architecture (SignalR hub names and URLs)
- Authentication flow details
- User ID patterns (numeric, starting from -1 for unauthenticated)
### Third-Party Script URLs in Bundle
The JS bundle contains references to numerous external services:
- `app.closebot.com` — Closebot AI
- `app.gohighlevel.com` — GHL platform
- `calendly.com/realwave` — Scheduling
- `calendly.com/ofer-9ckg/consulting-meeting-clone` — Personal calendly link
- `try.gamma.app/realwave` — Gamma presentations
- `img.youtube.com` — YouTube embeds
- Various API documentation URLs
---
## 8. Input Validation Results
### Form Discovery
- Login form (Firebase-based): `/login`
- Sign-up form: `/sign-up`
- GHL embedded forms via `link.realwave.com/widget/form/`
- Contact/lead capture forms embedded from GHL
**Testing Limitations:** Since authentication is Firebase-based (client-side SDK), traditional SQL injection is not applicable to the auth flow. The GHL forms are hosted on GHL infrastructure, outside the direct scope.
The Angular app uses client-side routing with no server-side rendering for public pages, limiting traditional injection vectors on the main domain.
---
## 9. Information Disclosure Findings
| Finding | Severity | Detail |
|---------|----------|--------|
| `Server: Microsoft-IIS/10.0` | **MEDIUM** | Reveals exact web server version |
| `X-Powered-By: ASP.NET` | **LOW** | Confirms backend technology |
| IIS default 404 error page | **LOW** | `/web.config` returns IIS-branded 404 instead of custom error |
| Console debug logging | **MEDIUM** | Reveals SignalR architecture, auth flow, user ID scheme |
| Firebase project details | **MEDIUM** | Full Firebase config in client JS |
| GHL Location ID | **MEDIUM** | `8jJylXIxcMrt2E2RW0hW` exposed in multiple places |
| Webhook URL | **MEDIUM** | Publicly callable GHL webhook |
| Calendly personal link | **LOW** | Personal booking link exposed in JS |
| OpenAI domain verification | **INFO** | DNS TXT record confirms OpenAI API usage |
| Source maps | ✅ Not exposed | `.js.map` files return 404 |
| `.git` directory | ✅ Not exposed | Returns SPA catch-all HTML |
| `.env` file | ✅ Not exposed | Returns 404 |
---
## 10. Third-Party Risk Assessment
### External Scripts Loaded
| Script | SRI? | Risk |
|--------|------|------|
| `googletagmanager.com/gtag/js?id=G-70DG95YYYQ` | ❌ No | **MEDIUM** — Google Analytics, no integrity check |
| `code.jquery.com/jquery-3.7.1.min.js` | ✅ Yes | Low — SRI hash verified |
| `cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js` | ✅ Yes | Low — SRI hash verified |
| `cdnjs.cloudflare.com/ajax/libs/bootstrap-markdown/2.10.0/js/bootstrap-markdown.min.js` | ❌ No | **MEDIUM** — No integrity verification |
| `link.realwave.com/js/form_embed.js` | ❌ No | Low — First-party (GHL) |
| `cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css` | ❌ No | **MEDIUM** — No integrity verification |
| `cdnjs.cloudflare.com/ajax/libs/bootstrap-markdown/2.10.0/css/bootstrap-markdown.min.css` | ❌ No | **LOW** — CSS, lower risk |
| `fonts.googleapis.com` | N/A | Low — Font loading |
| `fonts.gstatic.com` | N/A | Low — Font files |
**5 out of 7 external scripts/stylesheets lack SRI (Subresource Integrity).** If any CDN is compromised, malicious code could be injected into the site.
### Monaco Editor
The site loads Monaco Editor assets from a local path (`assets/monaco-editor/min/vs/...`), which is good — self-hosted rather than CDN-loaded.
---
## 11. SSL/TLS Analysis
| Check | Result |
|-------|--------|
| **Protocol** | TLS 1.3 ✅ |
| **Cipher** | AEAD-CHACHA20-POLY1305-SHA256 ✅ |
| **Certificate** | Let's Encrypt R13 ✅ |
| **Wildcard** | `*.realwave.com` + `realwave.com` ✅ |
| **Validity** | Jan 21 Apr 21, 2026 ✅ |
| **HTTP → HTTPS** | 302 redirect ✅ |
| **HSTS** | ❌ Not set |
| **HSTS Preload** | ❌ Not on preload list |
| **Mixed Content** | Not observed ✅ |
### Non-www HTTPS Issue
`https://realwave.com` serves the site directly **without redirecting to `https://www.realwave.com`**. This means:
- Two separate origins can serve the same content
- Cookie scope issues if cookies are ever set
- SEO duplicate content issues
---
## 12. Severity-Rated Findings Table
| # | Finding | Severity | Category | CVSS-like |
|---|---------|----------|----------|-----------|
| 1 | **No Content-Security-Policy header** | 🔴 HIGH | Headers | 7.1 |
| 2 | **No Strict-Transport-Security (HSTS)** | 🔴 HIGH | Headers/SSL | 7.0 |
| 3 | **No X-Frame-Options / frame-ancestors CSP** | 🔴 HIGH | Headers | 6.5 |
| 4 | **Wildcard CORS on link.realwave.com** | 🟡 MEDIUM | CORS | 5.8 |
| 5 | **Missing SRI on 5 external scripts/styles** | 🟡 MEDIUM | Third-Party | 5.5 |
| 6 | **Firebase config exposed in client JS** | 🟡 MEDIUM | Info Disclosure | 5.0 |
| 7 | **Verbose console debug logging in production** | 🟡 MEDIUM | Info Disclosure | 4.5 |
| 8 | **GHL webhook URL publicly exposed** | 🟡 MEDIUM | Info Disclosure | 4.5 |
| 9 | **Server header reveals IIS 10.0** | 🟢 LOW | Headers | 3.5 |
| 10 | **X-Powered-By: ASP.NET exposed** | 🟢 LOW | Headers | 3.0 |
| 11 | **No X-Content-Type-Options header** | 🟢 LOW | Headers | 3.0 |
| 12 | **No Referrer-Policy header** | 🟢 LOW | Headers | 3.0 |
| 13 | **No Permissions-Policy header** | 🟢 LOW | Headers | 2.5 |
| 14 | **IIS default error pages (info leak)** | 🟢 LOW | Info Disclosure | 2.0 |
| 15 | **No security.txt** | 🟢 LOW | Best Practice | 1.0 |
| 16 | **No sitemap.xml** | INFO | SEO | 0.5 |
| 17 | **Dual SPF records (potential conflict)** | INFO | Email | 1.0 |
| 18 | **Non-www HTTPS doesn't redirect to www** | INFO | Config | 1.0 |
| 19 | **GHL location ID exposed** | INFO | Info Disclosure | 1.0 |
---
## 13. Recommendations (Priority Order)
### 🔴 HIGH PRIORITY — Implement Immediately
#### 1. Add Security Headers (IIS `web.config`)
Add these headers to your IIS configuration:
```xml
<system.webServer>
<httpProtocol>
<customHeaders>
<!-- Remove server identification -->
<remove name="X-Powered-By" />
<remove name="Server" />
<!-- Security headers -->
<add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
<add name="X-Frame-Options" value="DENY" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Referrer-Policy" value="strict-origin-when-cross-origin" />
<add name="Permissions-Policy" value="camera=(), microphone=(), geolocation=(), payment=()" />
<add name="Content-Security-Policy" value="default-src 'self'; script-src 'self' https://www.googletagmanager.com https://code.jquery.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://link.realwave.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ 'unsafe-inline' 'unsafe-eval'; style-src 'self' https://fonts.googleapis.com https://cdnjs.cloudflare.com 'unsafe-inline'; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data: https: blob:; connect-src 'self' wss: https:; frame-src https://link.realwave.com https://www.google.com/recaptcha/ https://www.youtube.com;" />
</customHeaders>
</httpProtocol>
<!-- Remove Server header -->
<security>
<requestFiltering removeServerHeader="true" />
</security>
</system.webServer>
```
#### 2. Enable HSTS and Submit to Preload List
After adding the HSTS header, submit to https://hstspreload.org/ for inclusion in browser preload lists.
#### 3. Configure X-Frame-Options
Set to `DENY` (if site never needs framing) or `SAMEORIGIN` (if needed for internal iframes).
### 🟡 MEDIUM PRIORITY — Address Soon
#### 4. Add SRI to All External Scripts
```html
<!-- Add integrity attributes to all CDN scripts -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/bootstrap-markdown/2.10.0/js/bootstrap-markdown.min.js"
integrity="sha384-..." crossorigin="anonymous"></script>
```
Generate SRI hashes using: https://www.srihash.org/
#### 5. Remove Console Debug Logging in Production
Strip or conditionally disable all `console.log`, `console.error` debug messages in the production Angular build. Use Angular's `environment.production` flag:
```typescript
if (!environment.production) {
console.log('[SignalRService] ...');
}
```
#### 6. Secure Firebase Configuration
- Enable Firebase App Check
- Restrict the API key in Google Cloud Console (HTTP referrer restrictions to `realwave.com` and subdomains only)
- Audit Firestore security rules
- Audit Firebase Storage security rules
#### 7. Protect GHL Webhook
- Add authentication/secret validation to the webhook endpoint
- Or implement rate limiting on the GHL webhook
- Consider using a proxy that validates requests before forwarding to GHL
### 🟢 LOW PRIORITY — Best Practices
#### 8. Remove Server Fingerprinting
Configure IIS to suppress the `Server` header or return a generic value.
#### 9. Custom Error Pages
Replace default IIS 404/500 error pages with custom branded pages that don't reveal server technology.
#### 10. Add security.txt
Create `/.well-known/security.txt` with contact information for security researchers.
#### 11. Fix Non-www HTTPS Redirect
Configure `https://realwave.com` to 301 redirect to `https://www.realwave.com` for consistency.
#### 12. Resolve Dual SPF Records
Having two SPF records (one for Outlook, one for Firebase) can cause email deliverability issues. Merge them into one:
```
"v=spf1 include:spf.protection.outlook.com include:_spf.firebasemail.com -all"
```
#### 13. Add sitemap.xml
Create and submit a sitemap.xml for proper search engine indexing.
---
## 14. Positive Security Findings ✅
| Finding | Detail |
|---------|--------|
| ✅ All API endpoints require authentication | 401 returned without token |
| ✅ SignalR hubs require authentication | 401 for unauthenticated negotiate |
| ✅ TLS 1.3 with strong cipher | Modern, secure encryption |
| ✅ HTTP → HTTPS redirect | 302 redirect in place |
| ✅ Source maps not exposed | .js.map returns 404 |
| ✅ No .git/.env exposure | SPA catch-all, not real data |
| ✅ jQuery and Bootstrap have SRI | Integrity verified |
| ✅ Main domain CORS is reasonable | Only reflects known subdomains |
| ✅ No directory listing | IIS properly configured |
| ✅ Let's Encrypt auto-renewal | Certificate management automated |
| ✅ Firebase Auth (client-side) | Modern, secure auth approach |
| ✅ No SQL injection vectors on main domain | SPA architecture + Firebase auth |
| ✅ reCAPTCHA integration | Bot protection available |
---
## 15. Infrastructure Notes
- **IP Address:** `162.43.207.214` — Directly exposed (no CDN/WAF)
- **Recommendation:** Consider placing behind Cloudflare or similar CDN/WAF for:
- DDoS protection
- Bot mitigation
- Automatic security headers
- Origin IP hiding
- Edge caching
The `lc.realwave.com` subdomain already uses Cloudflare and has excellent security headers — extending this to the main domain would be a significant improvement.
---
*Report generated: February 7, 2026 at 00:05 EST*
*All findings are based on external (black-box) testing without authentication.*
Reference in New Issue View Git Blame Copy Permalink