## Critical Security Gap: Nginx Deny Rule for /api/lessons- Never Implemented Despite PR #344
A critical security fix for a public API vulnerability was documented as completed but never actually implemented. PR #344 was merged, with its changelog claiming to resolve issue #340 by adding a deny rule in the nginx configuration to block public access to the `/api/lessons-` endpoint. However, the core fix—the actual change to the `setup/nginx-site.conf` file—was missing from the pull request. The PR diff contained only updates to documentation and data files, leaving the production nginx configuration unchanged.

This oversight leaves the `data/lessons-summary.md` file, generated by the `lessons-learned.sh` script, fully accessible via the public `/api/` catch-all alias. This was the precise exposure risk detailed in the original vulnerability report (#340). The incomplete fix creates a dangerous discrepancy between the project's stated security posture and its actual deployed state, as the changelog incorrectly records the issue as resolved.

The required action is clear: immediately add the specified nginx deny rule to `setup/nginx-site.conf`, following the established pattern used to secure other sensitive endpoints like `/api/security/`, `/api/email/`, and `/api/comms/`. This incident highlights a critical failure in the code review and deployment verification process, where a PR can be approved and merged based on documentation updates alone, while the operational security patch is omitted.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, nginx, devops, code-review-failure
- **Credibility**: unverified
- **Published**: 2026-03-28 09:26:57
- **ID**: 38899
- **URL**: https://whisperx.ai/en/intel/38899