Security Audit Exposes Critical Auth Gaps & HTTPS Bypass in Trading Platform (#118, #146, #147)

A recent security audit has uncovered three critical vulnerabilities in a trading platform's infrastructure, exposing significant gaps in authentication and HTTPS enforcement. The findings reveal that an attacker could bypass HTTPS protections entirely and access sensitive trading data and controls without authorization, posing a direct threat to system integrity and user funds.

The most severe issue, SEC-004 (#118), allowed an attacker to bypass HTTPS enforcement by sending a forged `X-Forwarded-Proto` header over a plain HTTP connection. The system previously trusted this header unconditionally, a flaw now corrected to only trust it when explicitly configured for reverse-proxy setups. Simultaneously, the audit closed an asymmetric authentication flaw (QA-003, #146) where endpoints like `/agents`, `/sessions`, and `/positions` were publicly accessible while `/orders` required auth, creating an inconsistent security boundary. A third critical finding (QA-004, #147) exposed the `/dashboard`—containing live positions, P&L data, and trading controls—without any authentication whatsoever.

These fixes represent a fundamental hardening of the platform's security posture. The changes enforce authentication uniformly across all sensitive endpoints and correct a dangerous misconfiguration that could have allowed man-in-the-middle attacks. The default configuration now rejects the `X-Forwarded-Proto` header, and authentication middleware has been repositioned to run before rate limiters, ensuring unauthorized requests are blocked without consuming system resources. This audit wave highlights persistent risks in complex financial software where inconsistent authorization and misplaced trust in network headers can create exploitable gaps.