 root
|
4d8d22f40a
|
Security: admin radio routes now require auth+admin.security, CORS default no longer wildcard, README security section
|
2026-06-04 20:46:07 +02:00 |
|
|
root
|
b2bb1811d0
|
Medium priority fixes: CORS from env, shared HasRadioSettings trait, lazy RconService, validated() fixes, LogoGenerator hardening, DB indexes, user profile consistency, radio rank N+1 fix
|
2026-06-04 20:05:36 +02:00 |
|
|
root
|
1f04979ffe
|
Remove all auto-update functionality (commands, services, widgets, blades, translations)
|
2026-06-03 22:54:39 +02:00 |
|
|
root
|
e34300a8a1
|
Add /client/* to CORS paths
|
2026-05-26 19:15:50 +02:00 |
|
|
root
|
e754858c84
|
Remove nonexistent PHP 8.5 constraint, restrict CORS allowed_headers
|
2026-05-26 17:08:31 +02:00 |
|
|
root
|
7f59024bef
|
fix(security): patch critical security vulnerabilities
- Remove User::$guarded = [] to prevent mass assignment attacks
- Enable SQL strict mode and disable emulated prepares (SQL injection prevention)
- Switch password hashing from bcrypt to argon2id (stronger algorithm)
- Enable session encryption to protect session data at rest
- Restrict TrustProxies to localhost only (prevent IP spoofing)
- Restrict CORS allowed_methods via env variable instead of wildcard
- Add PayPal amount mismatch detection to prevent payment manipulation
- Add double-capture prevention (idempotency check)
- Add expected_amount column to transactions table for verification
|
2026-05-19 19:37:15 +02:00 |
|
|
root
|
9d73f82529
|
Initial commit
|
2026-05-09 17:32:17 +02:00 |
|