security: remove Asana URLs, harden http-allowed-hosts guidance, deconflict genesis chain IDs

[Copilot]

Three medium-severity security issues: internal Asana URLs committed to a public repo, --http-allowed-hosts="*" recommended without security caveats (disables DNS rebinding protection), and root genesis template files sharing chain ID 10508 with testnet (EIP-155 replay risk).

Asana URL removal

• subnet-cli/subnet-cli-add-subnet-validator-{mainnet,testnet}.sh — replaced https://app.asana.com/0/1202305127727547/1202919355642524/f with see internal task tracker
• README.md line 345 — same

HTTP host hardening (README, 3 occurrences)

Replaced the insecure pattern:

--http-host=0.0.0.0 \
--http-allowed-hosts="*"

with:

--http-host=127.0.0.1 \
--http-allowed-hosts="<your-rpc-domain.example.com>"

Added inline guidance recommending an nginx reverse proxy for external access and noting that the wildcard bypasses avalanchego's DNS rebinding protection (v1.10.3+).

Genesis chain ID deconfliction

Changed chainId in all three genesis/ template files from 10508 (identical to chains/testnet/genesis.json) to 99999 — a clearly out-of-range placeholder distinct from all deployed environments (mainnet: 10507, testnet: 10508, devnet: 10509). Operators must set a valid unique chain ID before deploying from these templates.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][Medium] Exposed Asana URLs, wildcard http-allowed-hosts, and genesis chain ID reuse risk</issue_title>
<issue_description>## Summary

Three medium-severity security findings related to information exposure and configuration risks:

1. Internal Asana project URLs leaked in committed scripts

Files:

• subnet-cli/subnet-cli-add-subnet-validator-mainnet.sh (line 2)
• subnet-cli/subnet-cli-add-subnet-validator-testnet.sh (line 2)
• README.md (line 345)

Direct Asana project URLs (https://app.asana.com/0/1202305127727547/1202919355642524/f) are committed in the public repository. The README labels this as "(internal task)", confirming these should not be publicly visible.

Fix: Replace Asana URLs with generic references like "See internal task tracker".

2. README recommends --http-allowed-hosts="*" without security documentation

File: README.md (lines 289-298, 911-913, 926-928)

The README recommends running avalanchego with --http-host=0.0.0.0 and --http-allowed-hosts="*" in three places. The wildcard disables DNS rebinding protection built into avalanchego. Combined with debug-tracer and internal-tx-pool APIs, this makes sensitive APIs accessible from any host.

Fix: Update README to recommend --http-host=127.0.0.1 for direct access, with nginx reverse proxy for external access. If --http-host=0.0.0.0 is required, set --http-allowed-hosts to specific RPC domain names.

3. Root genesis files share testnet chain ID 10508, risking EIP-155 replay attacks

Files:

• genesis/genesis.json (line 3: "chainId": 10508)
• genesis/genesis-nativecoin-feemgr.json (line 3: "chainId": 10508)
• genesis/genesis-nativecoin-feemgr-feerecv.json (line 3: "chainId": 10508)
• chains/testnet/genesis.json (line 3: "chainId": 10508)

All root genesis files use chain ID 10508 (identical to testnet). If used to deploy a new environment, transactions signed on testnet could be replayed on that chain and vice versa.

Fix: Assign unique chain IDs to root genesis files, or remove the genesis/ directory and consolidate under chains/{environment}/.

Impact

• Asana URL exposure: organizational structure leakage, potential social engineering
• Wildcard hosts: DNS rebinding attacks against node APIs
• Chain ID reuse: cross-chain transaction replay attacks

Generated by Health Monitor with Omni</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][Medium] Exposed Asana URLs, wildcard http-allowed-hosts, and genesis chain ID reuse risk #130

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.