Addresses #222 - Allow Pulse to be embedded in iframes (e.g., Homepage dashboard)
- Add AllowEmbedding and AllowedEmbedOrigins settings to SystemSettings
- Update security headers to respect embedding configuration
- When disabled: X-Frame-Options: DENY, frame-ancestors 'none'
- When enabled (same-origin): X-Frame-Options: SAMEORIGIN, frame-ancestors 'self'
- When enabled with origins: Adds specified origins to frame-ancestors
- Add UI controls in Settings → System → Network Settings
- Properly handle CSP frame-ancestors directive for cross-origin embedding
Users can now enable iframe embedding and specify allowed origins for embedding Pulse in Homepage or other dashboard applications.
- Detect when running behind a proxy/tunnel (X-Forwarded-*, CF-Ray headers)
- Use SameSite=None for cookies when proxied to allow cross-origin access
- Properly detect HTTPS when behind proxy using X-Forwarded-Proto
- Fixes authentication not working through Cloudflare tunnels
The issue was that SameSite=Strict/Lax cookies don't work when the origin
changes (which happens with tunnels/proxies). Now we detect proxy headers
and relax the cookie policy to SameSite=None when needed.
- Fix alternating zero I/O metrics by implementing rate caching for stale data from Proxmox
- Hardcode polling interval to 10 seconds (matching Proxmox cluster/resources update cycle)
- Remove polling interval settings from UI (no longer user-configurable)
- Implement efficient VM/container polling using single cluster/resources API call
- Remove 'Remove Password' feature (auth is now mandatory)
- Fix CSRF validation for Basic Auth (exempt from CSRF checks)
- Fix Generate API Token modal and authentication
- Remove redundant 'Active' status from Authentication section
- Remove Connection Timeout setting from frontend (backend-only)
- Clean up frontend console logging (reduce verbosity)
- Remove PBS polling interval setting (fixed at 10s)
- Add frontend rebuild detection to backend-watch script
- Improve first-run setup flow and error handling
