Focus
Harden account entry and abuse-facing behavior (headers, sessions, login UX) without new infrastructure.
Added
- Optional PHP security headers — Site setting
security_headers_mode:off(default),recommended, orstrict(includes a CSP aligned with this app, including the Activity chart CDN). Documented in the README; copy-paste examples inexamples/nginx-security-headers.confandexamples/apache-security-headers.conf. DATADOCK_SECURITY_HEADERS— Runtime override:off|recommended|strict(seeincludes/settings_loader.php).- “Remember this device” (login) — Optional longer session cookie only (no separate remember-me token store). Still subject to idle timeout. Configurable under Admin → Site Settings (
remember_device.enabled,cookie_days). - Idle session expiry UX — After idle timeout, redirect to login with a clear in-page notice (
login.php?reason=idle).
Fixed
- Session cookie options — Session now starts after
session_set_cookie_params(), sohttponly,secure,SameSite, and cookie lifetime from settings apply as intended.
Improved
- Session hardening — Strict mode, cookies-only sessions, HTTPS /
X-Forwarded-Protofor secure cookies,session_regenerate_id(true)on successful login and registration, andsession.gc_maxlifetimecoordinated with remember-device windows.
Upgrade note
Existing config/settings.php files work without edits; new keys appear after saving Site Settings once or merging from config/settings.php.example. Full notes: CHANGELOG.md.