security
SQL injection fix, encrypted Slack tokens, and stricter security headers
A round of hardening across the API surface: closed an SQL-injection vector in the natural-language search RPC, encrypted Slack bot tokens at rest with AES-256-GCM, added an SSRF guard to outbound webhooks, and shipped strict security headers (HSTS, CSP, X-Frame-Options DENY, Permissions-Policy).
Details
- ▸Fixed an SQL injection vector in the natural-language search RPC by flipping it to SECURITY INVOKER (RLS now enforces workspace isolation directly)
- ▸Slack bot tokens encrypted at rest with AES-256-GCM
- ▸SSRF guard on outbound webhooks — DNS-resolved private IPs are blocked
- ▸Strict security headers: HSTS, CSP, X-Frame-Options DENY, Permissions-Policy
- ▸Cron auth: Bearer-only with constant-time compare; URL ?secret= fallback removed
- ▸Middleware now 401s any /api/* request without a session (defense in depth)
Want this in your inbox?
Subscribe to the changelog RSS feed or follow the team via the marketing newsletter.
Start free trial