httpd: restrict /api/memory to localhost only

httpd.py

@@ -61,6 +61,19 @@ _db_health_cache = {'value': {}, 'time': 0}
 _db_health_ttl = 10  # seconds
 
 
+def is_localhost(ip):
+    """Check if IP is localhost (127.0.0.0/8 or ::1)."""
+    if not ip:
+        return False
+    # IPv6 localhost
+    if ip == '::1':
+        return True
+    # IPv4 localhost (127.0.0.0/8)
+    if ip.startswith('127.'):
+        return True
+    return False
+
+
 def get_system_stats():
     """Collect system resource statistics."""
     stats = {}
@@ -566,7 +579,8 @@ class ProxyAPIServer(threading.Thread):
 
         # Route handling
         try:
-            response_body, content_type, status = self._handle_route(path)
+            remote_addr = environ.get('REMOTE_ADDR', '')
+            response_body, content_type, status = self._handle_route(path, remote_addr)
             status_line = '%d %s' % (status, 'OK' if status == 200 else 'Error')
             headers = [
                 ('Content-Type', content_type),
@@ -585,7 +599,7 @@ class ProxyAPIServer(threading.Thread):
             ])
             return [error_body]
 
-    def _handle_route(self, path):
+    def _handle_route(self, path, remote_addr=''):
         """Handle route and return (body, content_type, status)."""
         if path == '/':
             body = json.dumps({
@@ -713,7 +727,9 @@ class ProxyAPIServer(threading.Thread):
             except Exception as e:
                 return json.dumps({'error': str(e)}), 'application/json', 500
         elif path == '/api/memory':
-            # Memory profiling endpoint
+            # Memory profiling endpoint (localhost only)
+            if not is_localhost(remote_addr):
+                return json.dumps({'error': 'not available'}), 'application/json', 404
             try:
                 mem = {}