No description
14357a0223
api.performancewest.net uses an explicit per-path allowlist; everything else
falls through to a trusted-IP-only catch-all that returns 403. Six browser-
facing routes had no location block, so they 403'd for every public visitor:
/api/v1/npi/ <- THE healthcare sales killer. The 'Free NPI
Compliance Check' tool (top of the HC funnel,
where every HC campaign sends traffic) fetches
/api/v1/npi/lookup. It 403'd -> CORS error in
the browser -> the tool never rendered results
or the upsell CTAs (Revalidation $399 / NPPES
$149 / Bundle $899) -> 0 HC sales despite 17
sessions reaching it in 30d and 0 HC orders
EVER created in the compliance DB.
/api/v1/cdr/ telecom CDR profile tool
/api/v1/icc/ intrastate/ICC profile tool
/api/v1/corp/ corporate foreign-qual check
/api/v1/foreign-qualification/ foreign qualification quote/jurisdictions
/api/v1/lnpa-regions LNPA region lookup
Added explicit proxy_pass blocks (mirroring the existing entities/identity
pattern) before the catch-all. Verified live: all six now reach the app with
proper CORS; the NPI tool renders results + order CTAs end-to-end via a real
browser; npi-revalidation order page -> Stripe confirmed.
The live /etc/nginx/sites-enabled/pw-api.conf was hand-edited and untracked;
committing the current state here so it is version-controlled. (Live backup:
/root/pw-api.conf.bak_20260623.)
|
||
|---|---|---|
| .claude/projects/-home-justin-projects-performancewest-new-site/memory | ||
| api | ||
| chrome-extension/fcc-access-helper | ||
| data | ||
| docs | ||
| docserver | ||
| erpnext | ||
| frappe_adyen | ||
| frappe_ca_registry | ||
| frappe_crypto | ||
| infra | ||
| mcp | ||
| monitoring | ||
| node-compile-cache/v25.1.0-x64-392347a2-1000 | ||
| performancewest_erpnext | ||
| scripts | ||
| site | ||
| src | ||
| test_screenshots | ||
| .gitignore | ||
| CLAUDE.md | ||
| deploy.sh | ||
| docker-compose.dev.override.yml | ||
| docker-compose.yml | ||
| extract-erpnext-assets.sh | ||