Webhooks now stored encrypted (webhooks.enc) instead of plain text:
- Automatic migration from webhooks.json to webhooks.enc
- Uses same AES-256-GCM encryption as nodes and email configs
- Original file backed up as webhooks.json.backup
- Protects sensitive webhook URLs and authentication headers
This addresses the security concern where webhook URLs containing API tokens
(like Telegram bot tokens) were stored in plain text.
- API tokens now hashed before storage (never stored in plain text)
- Raw token shown only once during generation
- Backward compatible with existing plain text tokens
- Added migration warnings for users with plain tokens
- Updated documentation to reflect security improvements
- Remove outdated v3 to v4 migration guide
- Update README with mandatory security setup steps
- Clarify that authentication is now required, not optional
- Update Docker, Security, and Troubleshooting docs
- Remove references to optional authentication
- ProxmoxVE script can now check if auth is already set without credentials
- Quick-setup endpoint is now public but handler checks if setup should be skipped
- Prevents duplicate auth configuration attempts
- Critical for automated setup scripts
- clarified .env file usage for Docker (it's acceptable for Docker volumes)
- emphasized need for quotes around bcrypt hashes to prevent shell expansion
- removed incorrect SHA3-256 'cost factor' reference (only bcrypt has cost factor)
- added notes about proper quoting in Docker examples
Updated security documentation to explicitly mention that Docker uses
the Quick Security Setup wizard and persists credentials via /data/.env
file in the volume, making it clear how auth works in Docker deployments.
- Homelab users on private networks (192.168.x.x, 10.x.x.x, 172.16.x.x) can now export/import without any configuration
- No need to set ALLOW_UNPROTECTED_EXPORT=true for typical homelab setups
- Public network access still requires authentication for security
- Simplifies backup/restore for users who don't need authentication
- Clarify that session auth (password login) is sufficient for export/import
- Document that guest metadata and custom console URLs are included
- Update FAQ with clearer backup instructions
- Add UI-first approach to README backup section
- Clarify that passwords are ALWAYS bcrypt hashed (never plain text)
- Document SHA3-256 hashing for API tokens
- Add Quick Security Setup as recommended method
- Update examples to show hashed format required
- Add security best practices section
- Add verification script reference
- Update troubleshooting for new auth variables
Documentation Updates:
- Fix CORS documentation to reflect new secure defaults (no CORS by default)
- Add API token management endpoints to API.md
- Document CORS configuration in SECURITY.md
- Update environment variable documentation with defaults
- Add authentication variables (PULSE_PASSWORD, API_TOKEN, etc.)
- Add troubleshooting for CORS and authentication issues
- Remove outdated references to ALLOWED_ORIGINS=*
- Clarify that CORS defaults to same-origin only
All documentation now accurately reflects:
- Security improvements from recent audit
- New API token management features
- Correct CORS behavior and configuration
- Complete environment variable reference
- Detect public vs private network access
- Show stronger warnings for public access without auth
- Red banner when accessed from internet without authentication
- Support for trusted networks configuration via PULSE_TRUSTED_NETWORKS
- Automatic RFC1918 private IP detection
- Enhanced security status API with network context
- Added debug logging for encryption key loading
- Created MIGRATION.md with clear backup/migration procedures
- Emphasizes export/import as the only supported migration method
- Warns against direct file copying
- Includes security notes about passphrase protection
- Added troubleshooting and pro tips
- Updated README and SECURITY docs to reference migration guide
- Add registration tokens documentation to SECURITY.md
- Add email configuration guide to README.md
- Create comprehensive API.md with all endpoints documented
- Include examples for bash, PowerShell, and Python API usage
- Document WebSocket connection for real-time updates
- Add rate limiting information and error response formats
- Fix Export/Import API token authentication (wasn't sending X-API-Token header)
- Add client-side passphrase validation (12+ chars with visual feedback)
- Fix settings persistence for AllowedOrigins field
- Fix hardcoded port display in diagnostics (now shows actual port)
- Add .env file support for non-sensitive configuration (ports, logging, etc)
- Keep sensitive data (API tokens, passwords) using secure methods (systemd env vars)
- Update documentation with configuration guide and latest features
- Document auto-discovery, cluster detection, and export/import features
Security Features Added:
- Secure-by-default configuration export/import with ALLOW_UNPROTECTED_EXPORT environment variable
- Rate limiting (5 attempts/minute) to prevent brute force attacks on sensitive endpoints
- Comprehensive audit logging for all export/import attempts with IP tracking
- Frontend Security tab showing API protection status and configuration guidance
- Frontend now shows when export is blocked and disables buttons appropriately
- Strong passphrase requirement (minimum 12 characters) for exports
Technical Implementation:
- New RateLimiter component with automatic cleanup and middleware support
- Security status API endpoint showing protection state
- Enhanced error messaging with specific guidance for homelab vs production use
- Proper authentication flow with API token validation
- Updated documentation reflecting new security model
Breaking Changes:
- Export/import now requires API_TOKEN unless ALLOW_UNPROTECTED_EXPORT=true is set
- Minimum passphrase length increased from none to 12 characters
Additional Improvements:
- Fixed architecture-specific updates for better cross-platform support
- Removed RC label from UI header
- Updated security documentation with clear setup instructions
- Completely rewrite README.md configuration section
- Remove all references to manual pulse.yml editing
- Emphasize UI-only configuration like Radarr/Sonarr
- Simplify Docker examples
- Rewrite SECURITY.md from scratch
- Explain automatic encryption system
- Document how AES-256-GCM encryption works
- Add security architecture diagram
- Remove outdated manual config references
- Move CONFIGURATION.md to dev-docs (outdated)
- Documentation now correctly reflects that:
- All configuration is done through the web UI
- Credentials are automatically encrypted
- No manual file editing is needed or supported
- Complete rewrite of README.md in the style of original Pulse
- Add comprehensive user-facing documentation:
- FAQ.md with common questions and troubleshooting
- PBS-AGENT.md for push mode monitoring
- SCREENSHOTS.md placeholder for visual guide
- Update SECURITY.md intro to match new style
- Move internal dev docs to separate dev-docs folder
- Documentation now properly reflects Go/SolidJS architecture
- Replace real Gmail app password with placeholder in all test files
- Fix remaining production node name references in documentation
- Ensure no sensitive credentials remain in codebase
IMPORTANT: The exposed Gmail app password should be revoked immediately
- Replace personal email with generic test@example.com
- Replace production node names (delly, pimox) with generic examples
- Replace specific security tokens with placeholder values
- Update IP addresses to use localhost or generic examples
- Sanitize all testing files and documentation
- Replace all 'any' types with proper TypeScript types throughout the codebase
- Fix Record<string, any> to use specific types (AlertThresholds, unknown)
- Update logger methods to use 'unknown' instead of 'any' for parameters
- Fix type assertions to use proper types instead of 'as any'
- Update generic type defaults from 'any' to 'unknown'
- Fix WebSocket message types to use 'unknown' for optional data
- Move global Toast declaration to top level to fix TypeScript errors
- Comment out legacy PBS backup code that referenced non-existent fields
- Ensure all code follows TypeScript standards as documented in CLAUDE.md
All TypeScript compilation errors have been resolved and the codebase now
adheres to strict typing standards with no 'any' types remaining.
