Xe Iaso
272a2a3673
docs: update CHANGELOG
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-08-20 16:23:40 +00:00
Xe Iaso
7b63d09e52
fix(lib): ensure issued challenges don't get double-spent
...
Closes #1002
TL;DR: challenge IDs were not validated at time of token issuance. A
dedicated attacker could solve a challenge once and reuse it across
multiple sessons in order to mint additional tokens.
With the advent of store based challenge issuance in #749 , this means
that these challenge IDs are only good for 30 minutes. Websites using
the most recent version of Anubis have limited exposure to this problem.
Websites using older versions of Anubis have a much more increased
exposure to this problem and are encouraged to keep this software
updated as often and as frequently as possible.
2025-08-20 16:02:15 +00:00
Xe Iaso
e8dfff6350
feat(blog): add short funding update post ( #994 )
...
* feat(blog): add short funding update post
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-08-18 08:42:27 -04:00
Dryusdan
237a6a98e2
Bump ai.robots.txt to v1.39 ( #982 )
2025-08-18 06:52:23 -04:00
Xe Iaso
e43999f30c
chore: add libreapay
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-08-16 03:01:59 +00:00
Martin
29d038835f
feat(web): Add option for customizable explanation text ( #747 )
...
* Add option for customizable explanation text
* Add changes to CHANGELOG.md
* Replace custom explanation text in favor of static simplified text
Also includes translations for the simple_explanation using Google
Translate as a placeholder so tests pass.
---------
Signed-off-by: Xe Iaso <xe.iaso@techaro.lol >
Co-authored-by: Xe Iaso <xe.iaso@techaro.lol >
2025-08-14 11:12:55 -04:00
Xe Iaso
39215457e4
fix(locales): remove the word "hack" from the description of Anubis ( #973 )
...
This was causing confusion and less technical users were thinking that
websites had been intruded upon, causing them to send me horrible things
over email.
All non-English strings were amended using Google Translate. Please fix
the localization as appropriate.
2025-08-14 01:15:28 +00:00
Martin
ff691dfee8
feat(lib): Add optional restrictions for JWT based on a specific header value ( #697 )
...
* Add JWTRestrictionHeader funktionality
* Add JWTRestrictionHeader to docs
* Move JWT_RESTRICTION_HEADER from advanced section to normal one
* Add rull request URL to Changelog
* Set default value of JWT_RESTRICTION_HEADER to X-Real-IP
2025-08-13 23:27:42 +00:00
Mathieu Lu
83503525f2
Update known-instances.md: add lab.civicrm.org ( #971 )
...
Signed-off-by: Mathieu Lu <mathieu@civicrm.org >
2025-08-13 19:32:29 +00:00
phoval
a8b7b2ad7b
feat: support HTTP redirect for forward authentication middleware in Traefik ( #368 )
...
* feat: support HTTP redirect for forward authentication middleware in Traefik
* fix(docs): fix my terrible merge
Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com >
* chore: fix typo in docs
Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com >
* fix(ci): add forwardauth
Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com >
* chore: improve doc, target must be a space
* chore: changelog
* fix: validate X-Forwarded headers and check redirect domain
* chore: refactor error handling
* fix(doc): cookie traefik
* fix: tests merge
* Update docs/docs/admin/environments/traefik.mdx
Co-authored-by: Henri Vasserman <henv@hot.ee >
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Jason Cameron <git@jasoncameron.dev >
Signed-off-by: Jason Cameron <jasoncameron.all@gmail.com >
Signed-off-by: Xe Iaso <me@xeiaso.net >
Co-authored-by: Jason Cameron <git@jasoncameron.dev >
Co-authored-by: Jason Cameron <jasoncameron.all@gmail.com >
Co-authored-by: Xe Iaso <me@xeiaso.net >
Co-authored-by: Henri Vasserman <henv@hot.ee >
2025-08-12 20:59:45 -04:00
Elliot Speck
87651f9506
default pattern fixes ( #963 )
...
* feat(checker): allow png/gif/jpg/jpeg/svg favicons as well as ico
* changelog: add updates to keep-internet-working.yaml
* fix(checker): tighten default regex patterns for well-known files
* changelog: add updates to regular expression patterns in keep-internet-working.yaml
---------
Signed-off-by: Elliot Speck <11192354+arcayr@users.noreply.github.com >
2025-08-09 07:40:33 -04:00
Elliot Speck
100005ce70
feat(checker): allow png/gif/jpg/jpeg/svg favicons as well as ico ( #961 )
...
* feat(checker): allow png/gif/jpg/jpeg/svg favicons as well as ico
* changelog: add updates to keep-internet-working.yaml
---------
Signed-off-by: Xe Iaso <xe.iaso@techaro.lol >
Co-authored-by: Xe Iaso <xe.iaso@techaro.lol >
2025-08-08 16:53:23 +00:00
Medvidek77
0a68415c2e
fix(localization): Improve Czech language translation ( #895 )
...
* fix(localization): Improve Czech language translation
Improved naturalness and flow of several phrases. Corrected typos and punctuation. Completed one previously unfinished sentence.
Signed-off-by: Medvidek77 <medvidek77@centrum.cz >
* Update cs.json
Signed-off-by: Medvidek77 <medvidek77@centrum.cz >
---------
Signed-off-by: Medvidek77 <medvidek77@centrum.cz >
2025-08-08 12:50:23 -04:00
SecularSteve
b3886752a1
Added Dutch translation ( #937 )
...
* Added Dutch translation
Signed-off-by: SecularSteve <33793273+SecularSteve@users.noreply.github.com >
* Added Dutch translation
Signed-off-by: SecularSteve <33793273+SecularSteve@users.noreply.github.com >
* Added Dutch translation
Signed-off-by: SecularSteve <33793273+SecularSteve@users.noreply.github.com >
* Update lib/localization/locales/nl.json
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: SecularSteve <33793273+SecularSteve@users.noreply.github.com >
Signed-off-by: Xe Iaso <me@xeiaso.net >
Co-authored-by: Xe Iaso <me@xeiaso.net >
2025-08-08 12:49:49 -04:00
Sunniva Løvstad
0e9f831201
chore: fix capitalisation in bokmål and nynorsk ( #959 )
2025-08-08 12:48:07 -04:00
Xe Iaso
22ee227f20
fix(anubis): use global cookie prefix variable
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-08-07 13:51:18 +00:00
Jason Cameron
adda60c163
Revert "build(deps): bump the github-actions group with 2 updates ( #952 )" ( #962 )
2025-08-06 03:01:25 +00:00
dependabot[bot]
e0a15bf4dc
build(deps): bump the github-actions group with 2 updates ( #952 )
...
Co-authored-by: Jason Cameron <git@jasoncameron.dev >
2025-08-05 22:45:07 -04:00
Xe Iaso
f6481b81a2
fix(web): embed challenge ID in pass-challenge invocations ( #944 )
...
* refactor: make challenge pages return the challenge component
This means that challenge pages will return only the little bit that
actually matters, not the entire component.
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(web): move Anubis version info to be implicitly in the footer
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(web): embed challenge ID into generated pages
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(lib): make tests pass
Signed-off-by: Xe Iaso <me@xeiaso.net >
* test(lib/policy/config): amend tests
Signed-off-by: Xe Iaso <me@xeiaso.net >
* test(lib): fix tests again
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
Signed-off-by: Xe Iaso <xe.iaso@techaro.lol >
2025-08-04 18:49:19 +00:00
Xe Iaso
790bcbe773
fix(internal): silence unsolicited response log lines ( #950 )
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-08-03 19:08:23 +00:00
Xe Iaso
7c80c23e90
docs: remove JSON examples from policy file docs ( #945 )
...
* docs: remove JSON examples from policy file docs
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(lib): remove mentions of botPolicies.json in the tests
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs: update link to challenge methods
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs: unbreak links to the challenges category
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-08-03 18:09:26 +00:00
axell
2d8e942377
Add swedish local ( #913 )
...
* add swedish local
* added to changelog
* add to TestLocalizationService
* build(deps): bump brace-expansion from 1.1.11 to 1.1.12 in /docs (#909 )
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion ) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases )
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12 )
---
updated-dependencies:
- dependency-name: brace-expansion
dependency-version: 1.1.12
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* add local (signed this time hopefully)
* Update sv.json
Co-authored-by: David Marby <david@dmarby.se >
Signed-off-by: axel <mail@axell.me >
* Update sv.json
Co-authored-by: David Marby <david@dmarby.se >
Signed-off-by: axel <mail@axell.me >
* Update localization_test.go
Co-authored-by: Jonathan Herlin <Jonte@jherlin.se >
Signed-off-by: axel <mail@axell.me >
* Update sv.json
Co-authored-by: Jonathan Herlin <Jonte@jherlin.se >
Signed-off-by: axel <mail@axell.me >
* Update sv.json
Co-authored-by: Jonathan Herlin <Jonte@jherlin.se >
Signed-off-by: axel <mail@axell.me >
* Update sv.json
Co-authored-by: Jonathan Herlin <Jonte@jherlin.se >
Signed-off-by: axel <mail@axell.me >
* Update sv.json
Co-authored-by: Jonathan Herlin <Jonte@jherlin.se >
Signed-off-by: axel <mail@axell.me >
* Update sv.json
---------
Signed-off-by: dependabot[bot] <support@github.com >
Signed-off-by: axel <mail@axell.me >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: David Marby <david@dmarby.se >
Co-authored-by: Jonathan Herlin <Jonte@jherlin.se >
2025-08-02 22:17:31 -04:00
Xe Iaso
d5f01dbdb9
fix(web/sha256-browserjs): fix function name ( #943 )
...
* fix(web/sha256-browserjs): fix function name
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs: update changelog
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-08-02 16:05:48 +00:00
lillian-b
70bf58cc63
Add HackLab.TO to known instances ( #936 )
...
* Add HackLab.TO to known instances
Signed-off-by: lillian-b <146143737+lillian-b@users.noreply.github.com >
* fix?
Signed-off-by: lillian-b <146143737+lillian-b@users.noreply.github.com >
---------
Signed-off-by: lillian-b <146143737+lillian-b@users.noreply.github.com >
2025-08-02 15:30:34 +00:00
Xe Iaso
0dccf2e009
refactor(web): redo proof of work web worker logic ( #941 )
...
* chore(web/js): delete proof-of-work-slow.mjs
This code has served its purpose and now needs to be retired to the
great beyond. There is no replacement for this, the fast implementation
will be used instead.
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore(web): handle building multiple JS entrypoints and web workers
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(web): rewrite frontend worker handling
This completely rewrites how the proof of work challenge works based on
feedback from browser engine developers and starts the process of making
the proof of work function easier to change out.
- Import @aws-crypto/sha256-js to use in Firefox as its implementation
of WebCrypto doesn't jump directly from highly optimized browser
internals to JIT-ed JavaScript like Chrome's seems to.
- Move the worker code to `web/js/worker/*` with each worker named after
the hashing method and hash method implementation it uses.
- Update bench.mjs to import algorithms the new way.
- Delete video.mjs, it was part of a legacy experiment that I never had
time to finish.
- Update LibreJS comment to add info about the use of
@aws-crypto/sha256-js.
- Also update my email to my @techaro.lol address.
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(web): don't hard dep webcrypto anymore
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore(lib/policy): start the deprecation process for slow
This mostly adds a warning, but the "slow" method is in the process of
being removed. Warn admins with slog.Warn.
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs: update CHANGELOG
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(web/js): allow running Anubis in non-secure contexts
Signed-off-by: Xe Iaso <me@xeiaso.net >
* Update metadata
check-spelling run (pull_request) for Xe/purge-slow
Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com >
on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com >
2025-08-02 11:27:26 -04:00
Xe Iaso
8d08de6d9c
fix: allow social preview images ( #934 )
...
* feat(ogtags): when encountering opengraph URLs, add them to an allow cache
Signed-off-by: Xe Iaso <me@xeiaso.net >
* feat(lib): automatically allow any urls in the ogtags allow cache
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs: update CHANGELOG
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs(changelog): remove this bit to make it its own PR
Signed-off-by: Xe Iaso <me@xeiaso.net >
* test(palemoon): add 180 second timeout
Signed-off-by: Xe Iaso <me@xeiaso.net >
* test(palemoon): actually invoke timeout
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-31 08:44:49 -04:00
Xe Iaso
1f7fcf938b
fix(lib): add the ability to set a custom slog Logger ( #915 )
...
* fix(lib): add the ability to set a custom slog Logger
Closes #864
* test(lib): amend s.check usage
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
Signed-off-by: Xe Iaso <xe.iaso@techaro.lol >
2025-07-31 08:06:35 -04:00
Emir SARI
6ae386a11a
fix: polish Turkish translations ( #897 )
...
* Polish Turkish translations
* Update tr.json
Co-authored-by: Xe Iaso <me@xeiaso.net >
Signed-off-by: Emir SARI <emir_sari@icloud.com >
* Update tr.json
Co-authored-by: Xe Iaso <me@xeiaso.net >
Signed-off-by: Emir SARI <emir_sari@icloud.com >
* Update tr.json
Co-authored-by: Xe Iaso <me@xeiaso.net >
Signed-off-by: Emir SARI <emir_sari@icloud.com >
* Try to make “From” sound better
Signed-off-by: Emir SARI <emir_sari@icloud.com >
---------
Signed-off-by: Emir SARI <emir_sari@icloud.com >
Co-authored-by: Xe Iaso <me@xeiaso.net >
2025-07-31 07:33:16 -04:00
Sveinn í Felli
963527fb60
Update is.json ( #935 )
...
Just one new string.
Signed-off-by: Sveinn í Felli <sv1@fellsnet.is >
2025-07-30 12:08:27 -04:00
Xe Iaso
b81c577106
chore(docs/anubis-cfg): update contact email
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-29 15:38:08 +00:00
Xe Iaso
987c1d7410
chore(go.mod): depend on at least go 1.24.2
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-29 04:06:16 +00:00
Saterfield990
826433e8be
build(deps): bump the gomod group ( #931 )
...
* build(deps): bump the gomod group
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore: npm run assets
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
Co-authored-by: Xe Iaso <me@xeiaso.net >
2025-07-28 23:47:18 -04:00
Xe Iaso
4a4031450c
fix(anubis): store the challenge method in the store ( #924 )
...
* fix(lib): reduce challenge string size
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(internal): add host, method, and path to request logs
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(anubis): log when challenges explicitly fail
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(lib): make challenge validation fully deterministic
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix(anubis): nuke challengeFor function
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs: update changelog
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-28 10:57:50 -04:00
dependabot[bot]
8feacc78fc
build(deps): bump the github-actions group with 2 updates ( #929 )
...
Bumps the github-actions group with 2 updates: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv ) and [github/codeql-action](https://github.com/github/codeql-action ).
Updates `astral-sh/setup-uv` from 6.4.1 to 6.4.3
- [Release notes](https://github.com/astral-sh/setup-uv/releases )
- [Commits](7edac99f96...e92bafb625https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](181d5eefc2...4e828ff8d4support@github.com >
Co-authored-by: Jason Cameron <git@jasoncameron.dev >
2025-07-27 22:47:21 -04:00
Xe Iaso
bca2e87e80
feat(default-rules): add weight to Custom-AsyncHttpClient ( #914 )
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
Signed-off-by: Xe Iaso <xe.iaso@techaro.lol >
2025-07-27 00:41:43 +00:00
Xe Iaso
a735770c93
feat(expressions): add segments function to break path into segments ( #916 )
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-25 16:21:08 -04:00
Xe Iaso
bf42014ac3
test: add automated Pale Moon tests ( #903 )
...
* test: start work on Pale Moon tests
Signed-off-by: Xe Iaso <me@xeiaso.net >
* test(palemoon): rewrite to use ci-images
Signed-off-by: Xe Iaso <me@xeiaso.net >
* ci: enable palemoon tests
Signed-off-by: Xe Iaso <me@xeiaso.net >
* test(palemoon): add some variables
Signed-off-by: Xe Iaso <me@xeiaso.net >
* fix: disable tmate
Signed-off-by: Xe Iaso <me@xeiaso.net >
* test(palemoon): disable i386 for now
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-25 11:42:08 -04:00
dependabot[bot]
0ef3461816
build(deps): bump brace-expansion from 1.1.11 to 1.1.12 in /docs ( #909 )
...
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion ) from 1.1.11 to 1.1.12.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases )
- [Commits](https://github.com/juliangruber/brace-expansion/compare/1.1.11...v1.1.12 )
---
updated-dependencies:
- dependency-name: brace-expansion
dependency-version: 1.1.12
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-25 11:18:27 -04:00
Xe Iaso
7d7028d25c
test(lib): add a test for the X-Forwarded-For middleware ( #912 )
...
Previously the X-Forwarded-For middleware could return two commas in a
row. This is a regression test to make sure that doesn't happen again.
Imports a patch previously exclusive to Botstopper.
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-25 10:58:41 -04:00
Xe Iaso
9affd2edf4
chore: expose thoth in lib ( #911 )
...
Imports a patch previously exclusive to Botstopper.
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-25 10:58:30 -04:00
dependabot[bot]
26b6d8a91a
build(deps): bump on-headers and compression in /docs ( #910 )
...
Bumps [on-headers](https://github.com/jshttp/on-headers ) and [compression](https://github.com/expressjs/compression ). These dependencies needed to be updated together.
Updates `on-headers` from 1.0.2 to 1.1.0
- [Release notes](https://github.com/jshttp/on-headers/releases )
- [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md )
- [Commits](https://github.com/jshttp/on-headers/compare/v1.0.2...v1.1.0 )
Updates `compression` from 1.8.0 to 1.8.1
- [Release notes](https://github.com/expressjs/compression/releases )
- [Changelog](https://github.com/expressjs/compression/blob/master/HISTORY.md )
- [Commits](https://github.com/expressjs/compression/compare/1.8.0...v1.8.1 )
---
updated-dependencies:
- dependency-name: on-headers
dependency-version: 1.1.0
dependency-type: indirect
- dependency-name: compression
dependency-version: 1.8.1
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-25 10:53:28 -04:00
Xe Iaso
958992a69a
chore: release v1.21.3
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-25 10:30:44 -04:00
Xe Iaso
221d9f2072
fix(web): make the try again button always go back to / ( #907 )
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-25 14:25:04 +00:00
Xe Iaso
bb434a3351
fix(lib): add comprehensive XSS protection logic ( #905 )
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-24 11:24:58 -04:00
Xe Iaso
45ff8f526e
fix(lib): add additional validation logic for XSS protection
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-24 14:57:58 +00:00
Xe Iaso
5700512da5
chore: release v1.21.2
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-24 10:47:32 -04:00
Xe Iaso
d40e9056bc
fix(lib): block XSS attacks via nonstandard URLs ( #904 )
...
* fix(lib): block XSS attacks via nonstandard URLs
This could allow an attacker to craft an Anubis pass-challenge URL that
forces a redirect to nonstandard URLs, such as the `javascript:` scheme
which executes arbitrary JavaScript code in a browser context when the
user clicks the "Try again" button.
Release-status: cut
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore: spelling
Signed-off-by: Xe Iaso <me@xeiaso.net >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-24 14:05:00 +00:00
Moonchild
21f570962c
Pass forward X-Real-IP to nginx backend server ( #901 )
...
The TLS termination server sets X-Real-IP to be used by the back-end, but the back-end configuration example doesn't actually extract it so nginx logs (and back-end processing) fails to log or use the visiting IP in any way (it just states `unix:` if using a unix socket like in the example given, or the local IP if forwarded over TCP).
Adding real_ip_header to the config will fix this.
Signed-off-by: Moonchild <moonchild@palemoon.org >
2025-07-24 12:11:53 +00:00
Xe Iaso
1cb1352a44
fix(blog/v1.21.1): we avoid breaking changes
...
Signed-off-by: Xe Iaso <me@xeiaso.net >
2025-07-22 22:54:22 +00:00
Xe Iaso
a4c08687cc
docs: add blogpost for announcing v1.21.1 ( #886 )
...
* docs: add release announcement post for v1.21.1
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs(v1.21.1): small fixups
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs(v1.21.1): spelling fixes
Signed-off-by: Xe Iaso <me@xeiaso.net >
* docs(v1.21.1): clarify that Bell is trash
Signed-off-by: Xe Iaso <me@xeiaso.net >
* chore: spelling
check-spelling run (pull_request) for Xe/v1.21.1-blogpost
Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com >
on-behalf-of: @check-spelling <check-spelling-bot@check-spelling.dev >
---------
Signed-off-by: Xe Iaso <me@xeiaso.net >
Signed-off-by: check-spelling-bot <check-spelling-bot@users.noreply.github.com >
2025-07-22 16:42:58 -04:00
