fix: harden security across API client, headers, CI/CD, and contact form (#59)

- scripts/api/client.js: mask API key in error logs, add response size
  limit (50MB), validate URL hostname against allowlist
- scripts/api/seoul-metro-faci.js: cap pagination loop at MAX_PAGES=10
- All API modules: pass apiKey to fetchApi for error masking
- web/public/_headers: add Strict-Transport-Security and Permissions-Policy
- .github/workflows/deploy.yml: skip deploy on failed workflow_run
- web/src/components/ContactModal.tsx: block form submission on reCAPTCHA
  failure with user-facing error message instead of silent fallback

https://claude.ai/code/session_01LBvtFt23rsZctp48dkDb78

Co-authored-by: Claude <noreply@anthropic.com>

Author: brody-0125

.github/workflows/deploy.yml

@@ -27,6 +27,7 @@ concurrency:
 
 jobs:
   build:
+    if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

scripts/api/air-quality.js

@@ -48,7 +48,7 @@ export async function collect(apiKey) {
   const url = endpoint.url.replace("{KEY}", apiKey);
   const fields = endpoint.fields;
 
-  const raw = await fetchApi(url);
+  const raw = await fetchApi(url, { apiKey });
 
   if (raw.error) {
     return {

scripts/api/client.js

@@ -1,8 +1,32 @@
 const MAX_RETRIES = 3;
 const TIMEOUT_MS = 10000;
 const BACKOFF_BASE_MS = 1000;
+const MAX_RESPONSE_BYTES = 50 * 1024 * 1024; // 50 MB
+const ALLOWED_HOSTS = ["openapi.seoul.go.kr"];
+
+function maskApiKey(msg, apiKey) {
+  if (!apiKey || !msg) return msg || "Unknown error";
+  return msg.replaceAll(apiKey, "***");
+}
+
+function validateUrl(url) {
+  try {
+    const parsed = new URL(url);
+    if (!ALLOWED_HOSTS.includes(parsed.hostname)) {
+      return `Blocked request to disallowed host: ${parsed.hostname}`;
+    }
+    return null;
+  } catch {
+    return `Invalid URL`;
+  }
+}
+
+export async function fetchApi(url, { apiKey } = {}) {
+  const hostError = validateUrl(url);
+  if (hostError) {
+    return { error: true, message: hostError, timestamp: new Date().toISOString() };
+  }
 
-export async function fetchApi(url) {
   let lastError;
 
   for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
@@ -22,18 +46,23 @@ export async function fetchApi(url) {
         throw new Error(`HTTP ${response.status}: ${response.statusText}`);
       }
 
+      const contentLength = Number(response.headers.get("content-length") || 0);
+      if (contentLength > MAX_RESPONSE_BYTES) {
+        throw new Error(`Response too large: ${contentLength} bytes (limit ${MAX_RESPONSE_BYTES})`);
+      }
+
       const data = await response.json();
       return data;
     } catch (err) {
       clearTimeout(timeoutId);
       lastError = err;
-      console.error(`Attempt ${attempt + 1}/${MAX_RETRIES} failed: ${err.message}`);
+      console.error(`Attempt ${attempt + 1}/${MAX_RETRIES} failed: ${maskApiKey(err.message, apiKey)}`);
     }
   }
 
   return {
     error: true,
-    message: lastError?.message || "Unknown error",
+    message: maskApiKey(lastError?.message, apiKey),
     timestamp: new Date().toISOString(),
   };
 }

scripts/api/disabled-restroom.js

@@ -8,7 +8,7 @@ export async function collect(apiKey) {
   const url = endpoint.url.replace("{KEY}", apiKey);
   const fields = endpoint.fields;
 
-  const raw = await fetchApi(url);
+  const raw = await fetchApi(url, { apiKey });
 
   if (raw.error) {
     return {

scripts/api/helper.js

@@ -8,7 +8,7 @@ export async function collect(apiKey) {
   const url = endpoint.url.replace("{KEY}", apiKey);
   const fields = endpoint.fields;
 
-  const raw = await fetchApi(url);
+  const raw = await fetchApi(url, { apiKey });
 
   if (raw.error) {
     return {

scripts/api/moving-walk.js

@@ -16,7 +16,7 @@ export async function collect(apiKey) {
   const url = endpoint.url.replace("{KEY}", apiKey);
   const fields = endpoint.fields;
 
-  const raw = await fetchApi(url);
+  const raw = await fetchApi(url, { apiKey });
 
   if (raw.error) {
     return {

scripts/api/safety-board.js

@@ -16,7 +16,7 @@ export async function collect(apiKey) {
   const url = endpoint.url.replace("{KEY}", apiKey);
   const fields = endpoint.fields;
 
-  const raw = await fetchApi(url);
+  const raw = await fetchApi(url, { apiKey });
 
   if (raw.error) {
     return {

scripts/api/seoul-metro-faci.js

@@ -1,6 +1,7 @@
 import { fetchApi } from "./client.js";
 
 const PAGE_SIZE = 1000;
+const MAX_PAGES = 10;
 const SERVICE_NAME = "SeoulMetroFaciInfo";
 
 let cachedRows = null;
@@ -16,10 +17,10 @@ export async function fetchAllFacilities(apiKey) {
   const allRows = [];
   let start = 1;
 
-  while (true) {
+  for (let page = 0; page < MAX_PAGES; page++) {
     const end = start + PAGE_SIZE - 1;
     const url = `http://openapi.seoul.go.kr:8088/${apiKey}/json/${SERVICE_NAME}/${start}/${end}/`;
-    const raw = await fetchApi(url);
+    const raw = await fetchApi(url, { apiKey });
 
     if (raw.error) {
       if (allRows.length > 0) break; // partial data is better than none

scripts/api/sign-language-phone.js

@@ -8,7 +8,7 @@ export async function collect(apiKey) {
   const url = endpoint.url.replace("{KEY}", apiKey);
   const fields = endpoint.fields;
 
-  const raw = await fetchApi(url);
+  const raw = await fetchApi(url, { apiKey });
 
   if (raw.error) {
     return {

scripts/api/wheelchair-charger.js

@@ -8,7 +8,7 @@ export async function collect(apiKey) {
   const url = endpoint.url.replace("{KEY}", apiKey);
   const fields = endpoint.fields;
 
-  const raw = await fetchApi(url);
+  const raw = await fetchApi(url, { apiKey });
 
   if (raw.error) {
     return {