derekc
f6cc7a606e
- Lock down CORS to ALLOWED_ORIGINS env var (was wildcard) - Fix admin panel XSS: use data-username attributes instead of interpolating usernames into onclick handlers - Add rate limiting to /api/auth/register (3r/m) and /api/admin/* (10r/m); set limit_req_status 429 - Add Content-Security-Policy header restricting scripts to self and cdn.jsdelivr.net - Add Subresource Integrity hash to Chart.js CDN script tag Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3.7 KiB
3.7 KiB