Skip to content

v2.5.0 — Edge security & abuse control

Latest

Choose a tag to compare

@ZacharyKeatings ZacharyKeatings released this 22 Apr 00:53
4e9dc93

Focus

Harden account entry and abuse-facing behavior (headers, sessions, login UX) without new infrastructure.

Added

  • Optional PHP security headers — Site setting security_headers_mode: off (default), recommended, or strict (includes a CSP aligned with this app, including the Activity chart CDN). Documented in the README; copy-paste examples in examples/nginx-security-headers.conf and examples/apache-security-headers.conf.
  • DATADOCK_SECURITY_HEADERS — Runtime override: off | recommended | strict (see includes/settings_loader.php).
  • “Remember this device” (login) — Optional longer session cookie only (no separate remember-me token store). Still subject to idle timeout. Configurable under Admin → Site Settings (remember_device.enabled, cookie_days).
  • Idle session expiry UX — After idle timeout, redirect to login with a clear in-page notice (login.php?reason=idle).

Fixed

  • Session cookie options — Session now starts after session_set_cookie_params(), so httponly, secure, SameSite, and cookie lifetime from settings apply as intended.

Improved

  • Session hardening — Strict mode, cookies-only sessions, HTTPS / X-Forwarded-Proto for secure cookies, session_regenerate_id(true) on successful login and registration, and session.gc_maxlifetime coordinated with remember-device windows.

Upgrade note

Existing config/settings.php files work without edits; new keys appear after saving Site Settings once or merging from config/settings.php.example. Full notes: CHANGELOG.md.