From 61b74473e31f33d9fe5ddeb7c6c06135a5cea58f Mon Sep 17 00:00:00 2001
From: Pablo Revilla <pablorevilla@gmail.com>
Date: Wed, 17 Sep 2025 22:55:40 -0700
Subject: [PATCH] make the /api/config endpoint restrictive to what it
 provides. It will only show what is needed for the current code.

---
 meshview/web.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/meshview/web.py b/meshview/web.py
index 55f500a..99764e7 100644
--- a/meshview/web.py
+++ b/meshview/web.py
@@ -1579,15 +1579,22 @@ async def api_stats(request):
     return web.json_response(stats)
 
 
-
 @routes.get("/api/config")
 async def api_config(request):
     try:
-        # Return CONFIG as JSON
-        return web.json_response(CONFIG)
+        site = CONFIG.get("site", {})
+        safe_site = {
+            "map_interval": site.get("map_interval", 3),        # default 3 if missing
+            "firehose_interval": site.get("firehose_interal", 3)  # default 1000 if missing
+        }
+
+        safe_config = {"site": safe_site}
+
+        return web.json_response(safe_config)
     except Exception as e:
         return web.json_response({"error": str(e)}, status=500)
 
+
 @routes.get("/api/edges")
 async def api_edges(request):
     edges_set = set()