This release focuses on keeping sensitive data out of places it does not belong, while adding stronger safeguards around what gets shared to third parties.
Privacy and security updates
Pageview analytics now send a sanitized URL instead of the full address. This helps prevent sensitive query parameters from being captured while still preserving common marketing attribution parameters (like UTMs and ref).
Client-facing user lookups have been tightened to avoid returning encrypted fields. You can still tell whether a user has a key configured via a simple boolean flag, without exposing encrypted values in the response.
Third-party scripts loaded by the app now include Subresource Integrity and anonymous cross-origin settings. This adds an extra check so only the expected script contents run, reducing risk if an external script source is tampered with.
Access and authorization
The chat API now validates chat ownership through the authoritative source before returning chat data or starting a streaming session. This helps ensure chat access is limited to the correct user.