coolify-mcp-server

The core server.py file attempts to handle secrets securely via environment variables and implements a Bearer token authentication middleware for SSE mode. However, a critical security risk exists due to numerous instances of hardcoded API tokens (Coolify, Cloudflare, MCP) found in various helper scripts, test files, and example configurations (e.g., coolify_for_openhands.py, deploy_mcp_to_coolify.py, deploy_realestate.py, configure_domain.py, verify_realestate.py, audit_coolify.py, audit_health.py, and most test_*.py files). While documentation strongly advises against this, the presence of these active tokens directly in the codebase poses a severe risk of accidental credential exposure if these files are run or shared. The server binds to 0.0.0.0, but it is behind an authentication middleware.