This release focuses on privacy and security hardening in a few key areas. It reduces the chance of sensitive data being exposed to third parties or client-side code.
Privacy and security updates
Pageview tracking now sends a sanitized URL to analytics providers. Only allowlisted marketing parameters (like UTMs and ref) are kept, helping prevent accidental capture of auth and OAuth-related query parameters.
Client-facing user lookups have been tightened to avoid returning encrypted credential fields. Public user responses now provide a safe shape for clients, including a boolean to indicate whether a key is present, without exposing encrypted values.
Third-party scripts loaded in the web app now include Subresource Integrity and anonymous cross-origin settings. This helps ensure the browser only executes the expected script content if a third-party host is ever tampered with.
Access control
The chat API now validates chat ownership with the authoritative source before returning chat data or initializing streaming state. This helps prevent unauthorized access when a chat ID is provided.