Claude 3ddbe731a5 security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal ... - CORS: restrict origin from wildcard '*' to app URL from env (prevents cross-origin requests from arbitrary sites) - Sessions: enable @adonisjs/session with cookie store and httpOnly/secure cookie flags; uncomment session middleware in kernel.ts - CSRF: enable shield CSRF protection (requires sessions); uses XSRF-TOKEN cookie mechanism compatible with Inertia.js/Axios; exempts /api/health and SSE transmit endpoints - CSP: enable Content Security Policy with restrictive directives (no object-src, no frame-src, self-only script/style/connect/font) - HSTS: enable HTTP Strict Transport Security in production only - Path traversal: tighten filenameParamValidator to block /, \, .., and shell special characters; reduce max length from 4096 to 255 - env: add URL to .env.example; uncomment SESSION_DRIVER validation in env.ts https://claude.ai/code/session_01WfRC4tDeYprykhMrg4PxX6		2026-03-22 21:11:18 +00:00
..
benchmark.ts	feat: Add system benchmark feature with NOMAD Score	2026-01-22 21:48:12 -08:00
chat.ts	feat: [wip] native AI chat interface	2026-01-31 20:39:49 -08:00
common.ts	security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal	2026-03-22 21:11:18 +00:00
curated_collections.ts	feat: curated content system overhaul	2026-02-11 15:44:46 -08:00
download.ts	feat(Open WebUI): manage models via Command Center	2026-01-19 22:15:52 -08:00
ollama.ts	feat(AI Assistant): improved state management and performance	2026-03-11 14:08:09 -07:00
rag.ts	feat(RAG): allow deletion of files from KB	2026-03-04 20:05:14 -08:00
settings.ts	feat(AI Assistant): custom name option for AI Assistant	2026-03-04 20:05:14 -08:00
system.ts	feat: support for updating services	2026-03-11 14:08:09 -07:00
zim.ts	feat: [wip] custom map and zim downloads	2025-12-02 08:25:09 -08:00