Claude 3ddbe731a5 security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal ... - CORS: restrict origin from wildcard '*' to app URL from env (prevents cross-origin requests from arbitrary sites) - Sessions: enable @adonisjs/session with cookie store and httpOnly/secure cookie flags; uncomment session middleware in kernel.ts - CSRF: enable shield CSRF protection (requires sessions); uses XSRF-TOKEN cookie mechanism compatible with Inertia.js/Axios; exempts /api/health and SSE transmit endpoints - CSP: enable Content Security Policy with restrictive directives (no object-src, no frame-src, self-only script/style/connect/font) - HSTS: enable HTTP Strict Transport Security in production only - Path traversal: tighten filenameParamValidator to block /, \, .., and shell special characters; reduce max length from 4096 to 255 - env: add URL to .env.example; uncomment SESSION_DRIVER validation in env.ts https://claude.ai/code/session_01WfRC4tDeYprykhMrg4PxX6		2026-03-22 21:11:18 +00:00
..
controllers	fix(downloads): allow users to dismiss failed downloads	2026-03-20 11:46:10 -07:00
exceptions	fix(Docs): documentation renderer fixes	2025-12-23 16:00:33 -08:00
jobs	fix: prevent embedding retry storm when Ollama is not installed	2026-03-20 11:46:10 -07:00
middleware	feat: background job overhaul with bullmq	2025-12-06 23:59:01 -08:00
models	feat: support for updating services	2026-03-11 14:08:09 -07:00
services	fix(disk): correct storage display by fixing device matching and dedup mount entries	2026-03-20 11:46:10 -07:00
utils	fix(disk): correct storage display by fixing device matching and dedup mount entries	2026-03-20 11:46:10 -07:00
validators	security: fix CORS, CSRF, CSP, HSTS, sessions, and path traversal	2026-03-22 21:11:18 +00:00