MAJOR TLSv1.0 and TLSv1.1 accepted on the edgeRFC 8996 (March 2021) deprecates TLSv1.0/1.1. Modern browsers refuse them, but legacy bots and downgrade-attack tooling still negotiate them. PCI-DSS, NIST SP 800-52r2 disallow them.
Reproducer
$ nmap --script ssl-enum-ciphers -p 443 omnisee.io | grep -E "TLSv1\.[01]"
| TLSv1.0:
| TLSv1.1:
Impact
• Audit/compliance flag.
• Legacy bots and TLS downgrade attacks remain possible.
Fix
Cloudflare → SSL/TLS → Edge Certificates → Minimum TLS Version → set to TLS 1.2 (or 1.3).
Report Title: Additional test cases and recommendations for /block/{invalid_format} handling
Report Details: I looked at this one and ran a few more tests. A couple of things are still missing.
First, there are other inputs worth checking. 0 is the genesis block and works fine. But floats like 1.5 or 3.14159 – those should be a straight 400. Right now they might be slipping through. Overflow numbers like 99999999999999999999 and 18446744073709551616 (that's 2^64) are also edge cases worth testing. A valid looking hash that doesn't actually exist should be 404, not something else. And mixed hex like 123abc456 – that's neither a height nor a real hash, so 400 is the right call.
The real problem here is that invalid input is hitting an unhandled exception and bubbling up as a 5xx. That's not great. The code is probably trying to parse whatever comes in without checking format first. So you get a crash on something that should have been rejected early.
The original report didn't mention a few practical things. First, monitoring will fire on every 503. Someone running a quick fuzz will fill your alert dashboard with noise. Those should be filtered out. Second, logging these as ERROR instead of WARN just adds clutter. It's a user typo, not a broken service. Third, rate limiting these paths would make fuzzing a lot harder.
A proper fix needs a regex for 64-char hex hashes, a sane max height (something like 10 million is safe), and a clear path: check height, then hash, then return 400. Upstream errors should never surface as 5xx. Wrap them and return 404.
Also worth noting, this same pattern is probably sitting in /api/block and /api/transaction as well. Would be good to audit all path parameters in one go.
The bottom line is if someone types garbage, you don't return a 5xx. That's the rule to enforce everywhere. Something like this should work pretty well:
import re
BLOCK_HASH_PATTERN = re.compile(r'^[0-9a-fA-F]{64}$')
MAX_HEIGHT = 10_000_000
@app.get("/block/{input}")
async def get_block(input: str):
# Try height
if input.isdigit():
height = int(input)
if height < 0 or height > MAX_HEIGHT:
return {"error": "height out of range"}, 400
try:
result = fetch_by_height(height)
return result if result else {"error": "not found"}, 404
except:
return {"error": "not found"}, 404
# Try hash
if BLOCK_HASH_PATTERN.match(input):
try:
result = fetch_by_hash(input)
return result if result else {"error": "not found"}, 404
except:
return {"error": "not found"}, 404
# Invalid format
return {"error": "invalid block identifier"}, 400
