From 9a2be717b7c8596abf86d12850fe749abcf2b3bd Mon Sep 17 00:00:00 2001 From: Vignesh Date: Mon, 26 Jan 2026 21:28:45 -0800 Subject: [PATCH 1/2] docs: redirect gateway/security/formal-verification (#2594) --- docs/gateway/security-formal-verification.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 docs/gateway/security-formal-verification.md diff --git a/docs/gateway/security-formal-verification.md b/docs/gateway/security-formal-verification.md new file mode 100644 index 000000000..3fb5d649f --- /dev/null +++ b/docs/gateway/security-formal-verification.md @@ -0,0 +1,12 @@ +--- +title: Formal Verification (Security Models) +summary: Redirect to the canonical Formal Verification page. +permalink: /gateway/security/formal-verification/ +--- + +This page moved to: [/security/formal-verification/](/security/formal-verification/) + + From 9daa8464572c55bb1d9b09a83fd200c78758dbd3 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Tue, 27 Jan 2026 05:47:45 +0000 Subject: [PATCH 2/2] docs(bluebubbles): note reverse-proxy localhost trust caveat --- docs/channels/bluebubbles.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/channels/bluebubbles.md b/docs/channels/bluebubbles.md index a1f4a0892..914dc3664 100644 --- a/docs/channels/bluebubbles.md +++ b/docs/channels/bluebubbles.md @@ -218,6 +218,7 @@ Prefer `chat_guid` for stable routing: ## Security - Webhook requests are authenticated by comparing `guid`/`password` query params or headers against `channels.bluebubbles.password`. Requests from `localhost` are also accepted. - Keep the API password and webhook endpoint secret (treat them like credentials). +- Localhost trust means a same-host reverse proxy can unintentionally bypass the password. If you proxy the gateway, require auth at the proxy and configure `gateway.trustedProxies`. See [Gateway security](/gateway/security#reverse-proxy-configuration). - Enable HTTPS + firewall rules on the BlueBubbles server if exposing it outside your LAN. ## Troubleshooting