posimai-root

Commit Graph

Author	SHA1	Message	Date
posimai	9e6a2987ed	fix: security hardening - XSS, SSRF, proxy auth, Syncthing config - server.js: add escapeHtml() and apply to meta.title / error messages (XSS) - server.js: add startup error log when JWT_SECRET uses insecure default - posimai-dev/server.js: add URL validation to /api/check to block SSRF (blocks cloud metadata IPs, non-http/https protocols) - ponshu_room_lite/tools/proxy/server.js: remove auth bypass when PROXY_AUTH_TOKEN is unset; server now exits on startup if token missing - .gitignore: add .sync-conflict- to prevent Syncthing conflict files - .stignore: create Syncthing ignore file to exclude .git, node_modules, .env from sync (fixes root cause of .git directory sync-conflict files) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-03 08:15:45 +09:00

Author

SHA1

Message

Date

posimai

9e6a2987ed

fix: security hardening - XSS, SSRF, proxy auth, Syncthing config

- server.js: add escapeHtml() and apply to meta.title / error messages (XSS)
- server.js: add startup error log when JWT_SECRET uses insecure default
- posimai-dev/server.js: add URL validation to /api/check to block SSRF
  (blocks cloud metadata IPs, non-http/https protocols)
- ponshu_room_lite/tools/proxy/server.js: remove auth bypass when
  PROXY_AUTH_TOKEN is unset; server now exits on startup if token missing
- .gitignore: add *.sync-conflict-* to prevent Syncthing conflict files
- .stignore: create Syncthing ignore file to exclude .git, node_modules,
  .env from sync (fixes root cause of .git directory sync-conflict files)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-03 08:15:45 +09:00

1 Commits