registerHandlers exposes control endpoints over Wi‑Fi, but there is no authentication or authorization layer configured for these routes. An attacker on the same network (or connected to the device’s AP) can invoke /api/relay operations to control relays without credentials. Require an authentication gate (e.g., HMAC/shared secret token with nonce/timestamp) and enforce it before routing requests to network handlers.
registerHandlers exposes control endpoints over Wi‑Fi, but there is no authentication or authorization layer configured for these routes. An attacker on the same network (or connected to the device’s AP) can invoke /api/relay operations to control relays without credentials. Require an authentication gate (e.g., HMAC/shared secret token with nonce/timestamp) and enforce it before routing requests to network handlers.