Skip to content

v3.6.1 - Security Hardening

Choose a tag to compare

View all tags
@brdweb brdweb released this 14 Jan 12:15
· 49 commits to main since this release
v3.6.1
2bbda65

Security Improvements

  • Enhanced CSP Headers - Added frame-ancestors, form-action, base-uri, object-src directives to prevent clickjacking, form hijacking, and plugin-based attacks
  • Rate Limiting - Added rate limiting to all bills, payments, shares, and user search endpoints (60/min for reads, 30/min for writes, 20/min for sensitive operations)
  • iOS Keychain Security - JWT tokens now use WHEN_UNLOCKED_THIS_DEVICE_ONLY to prevent backup/migration to new devices
  • Timing-Safe Token Comparison - Email verification tokens now use secrets.compare_digest() to prevent timing attacks
  • SQL Injection Prevention - User search endpoints now escape SQL wildcards (%, _, \)
  • Mobile Logging Security - Sensitive data logging wrapped in __DEV__ guards to prevent token exposure in production

Other Changes

  • Structured Logging - New environment-based logging configuration with JSON format support for production
  • Database Performance - Fixed N+1 query issues with additional indexes
  • Mobile UI - Improved payment history and stats screens

Upgrade Notes

This is a security-focused release. No database migrations required. Simply update to the latest version to benefit from the security improvements.

Full Changelog: v3.6.0...v3.6.1

Assets 2
Loading