adamp/cookie-tracker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update CHANGELOG with 404 fix entry

Browse Source 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
adamp 2026-02-10 00:31:09 -06:00
parent 5074f3d9ef
commit 0534535e6e
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
CHANGELOG.md
View File

@ -4,6 +4,20 @@ All notable changes to the Cookie Tracker are documented in this file.
---
## 2026-02-09 (404 Fix)
### Bugfix: Return Proper 404s for Non-Existent Routes
**Commit:** `5074f3d` — *Return proper 404s for unmatched API routes and static files*
**Problem**: Nessus flagged that requesting a non-existent page returned a 200 with `index.html` instead of a proper 404. The SPA catch-all (`app.get('*')`) was serving `index.html` for everything — including unmatched `/api/*` routes and non-existent static files like `/foo.js`.
**Fix** (`server/index.js`):
- Added a `/api` catch-all after all API route mounts that returns `404 JSON` (`{"error":"Not found"}`) for any unmatched API route. When auth is enabled, unauthenticated requests to non-existent API routes return 401 (the auth middleware intercepts before the 404 handler, avoiding route enumeration).
- Modified the SPA fallback to check `path.extname(req.path)` — requests with a file extension (e.g. `/foo.js`, `/missing.css`) now return a real 404 instead of `index.html`. Only extensionless navigation requests (e.g. `/orders`, `/customers/5`) serve `index.html` for React Router.
---
## 2026-02-09 (Security Hardening)
### Enhancement: Security Headers and Rate Limiting