This release focuses on security hardening for attachments and trusted cross-origin requests. These changes help prevent unauthorized file access and reduce the risk of malicious requests in production.
Security updates
Attachment handling is now stricter to prevent insecure direct object reference (IDOR) issues. The app verifies that each attachment belongs to the signed-in user before accepting it or generating a signed download URL.
If an attachment is not owned by the requesting user, its URL is no longer generated and will return as null. This helps protect private files even if someone guesses or reuses a storage identifier.
To reduce abuse, messages are now limited to a maximum of 20 attachments.
Trusted origins in production
Production no longer includes localhost as an allowed origin for trusted requests. This lowers exposure to CSRF-like attacks that could originate from malicious local applications while keeping localhost support available outside production.