This release focuses on security hardening across key areas of the product, with changes designed to reduce unintended data access and injection risk.
Security updates
Streaming content is now protected with stricter access checks. Stream data is only returned when the signed-in user is verified as the owner, which helps prevent unauthorized access to private message content and reasoning.
Chart styling is now safer against CSS injection. Inputs used to generate chart styles are sanitized, and style rendering no longer relies on unsafe HTML injection patterns.
The public /stats endpoint now uses restricted CORS behavior. Instead of allowing any origin, it only sets cross-origin access for allowed origins, reducing cross-site exposure of aggregate stats.
Account session handling
Session token handling has been updated to reduce XSS token theft risk. Session data is no longer persisted in browser storage, which means sessions may not persist across page reloads, but they can be re-established automatically via server-managed cookies.