This release focuses on security hardening across a few key areas, with changes designed to reduce unintended data exposure and make the app safer by default.
Security updates
Streamed message data is now protected with authentication and ownership checks. This helps prevent someone from accessing another user’s private stream content by guessing or reusing an ID.
Chart styling is now sanitized to block CSS injection attempts. Invalid CSS keys or color values are rejected, reducing the risk of malicious styles being injected into the page.
The public /stats endpoint no longer uses a wildcard cross-origin policy. It now only allows requests from approved origins, limiting where those stats can be accessed from.
Session handling changes
Session data is now stored in memory instead of being persisted in the browser. This reduces exposure to token theft in the event of an XSS issue, and sessions will be re-established automatically by the server after a reload.