Trek_CN/server
Claude 804c2586a9
fix: tighten CSP, fix API key exposure, improve error handling
- Remove 'unsafe-inline' from script-src CSP directive
- Restrict connectSrc and imgSrc to known external domains
- Move Google API key from URL query parameter to X-Goog-Api-Key header
- Sanitize error logging in production (no stack traces)
- Log file link errors instead of silently swallowing them

https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8
2026-03-31 00:33:56 +00:00
..
src fix: tighten CSP, fix API key exposure, improve error handling 2026-03-31 00:33:56 +00:00
.env.example harden runtime config and automate first-run permissions 2026-03-30 13:19:01 -03:00
package-lock.json Merge branch 'pr-125' 2026-03-30 23:10:34 +02:00
package.json Merge branch 'pr-125' 2026-03-30 23:10:34 +02:00
reset-admin.js Stabilize core: better-sqlite3, versioned migrations, graceful shutdown 2026-03-22 17:52:24 +01:00
tsconfig.json some fixes 2026-03-30 06:59:24 +02:00