This release focuses on practical security hardening in a few high-impact areas. The changes help protect private data, reduce exposure in the browser, and limit what can be accessed cross-origin.
Security hardening
Streaming access is now restricted to the right user. Stream queries now require authentication and verify ownership before returning message content or related details, preventing unauthorized access to private streams.
Session data is no longer persisted in the browser. Session tokens are now kept in memory instead of being stored in the browser’s persistent storage, reducing the risk of token theft via injected scripts. As a trade-off, sessions will not persist across page reloads, but the server can re-establish the session automatically.
Chart styling now blocks CSS injection attempts. Chart style inputs are validated and sanitized so only safe CSS keys and color values are accepted, helping prevent malicious style injection while keeping valid theming working as expected.
Public stats CORS is no longer wide open. The /stats endpoint no longer allows all origins by default, and instead only sets cross-origin access for allowed origins. This reduces cross-origin exposure, while keeping the endpoint focused on aggregate, non-sensitive stats.