- Fixed /api/config/system endpoint to return all persisted settings fields including allowEmbedding, discoveryEnabled, and allowedEmbedOrigins
- Added comprehensive input validation for all settings with proper min/max bounds
- Fixed security headers to properly allow/deny iframe embedding based on user preference
- Added real bug detection test suite that validates behavior, not just status codes
The iframe embedding checkbox now properly persists its state and actually controls whether Pulse can be embedded in iframes. When enabled, removes X-Frame-Options header and sets CSP frame-ancestors to allow embedding.
addresses #360
- Add detailed lockout feedback in login API responses showing remaining attempts
- Display lockout warnings in the frontend with attempt counters
- Show time remaining when account is locked (15 minute lockout duration)
- Add visual indicators (lock icon) for lockout status
- Implement /api/security/reset-lockout endpoint for admin recovery
- Store lockout information with expiration tracking
- Provide clear user guidance about lockout duration and recovery
Addresses #222 - Allow Pulse to be embedded in iframes (e.g., Homepage dashboard)
- Add AllowEmbedding and AllowedEmbedOrigins settings to SystemSettings
- Update security headers to respect embedding configuration
- When disabled: X-Frame-Options: DENY, frame-ancestors 'none'
- When enabled (same-origin): X-Frame-Options: SAMEORIGIN, frame-ancestors 'self'
- When enabled with origins: Adds specified origins to frame-ancestors
- Add UI controls in Settings → System → Network Settings
- Properly handle CSP frame-ancestors directive for cross-origin embedding
Users can now enable iframe embedding and specify allowed origins for embedding Pulse in Homepage or other dashboard applications.
- Detect when running behind a proxy/tunnel (X-Forwarded-*, CF-Ray headers)
- Use SameSite=None for cookies when proxied to allow cross-origin access
- Properly detect HTTPS when behind proxy using X-Forwarded-Proto
- Fixes authentication not working through Cloudflare tunnels
The issue was that SameSite=Strict/Lax cookies don't work when the origin
changes (which happens with tunnels/proxies). Now we detect proxy headers
and relax the cookie policy to SameSite=None when needed.
- Fix alternating zero I/O metrics by implementing rate caching for stale data from Proxmox
- Hardcode polling interval to 10 seconds (matching Proxmox cluster/resources update cycle)
- Remove polling interval settings from UI (no longer user-configurable)
- Implement efficient VM/container polling using single cluster/resources API call
- Remove 'Remove Password' feature (auth is now mandatory)
- Fix CSRF validation for Basic Auth (exempt from CSRF checks)
- Fix Generate API Token modal and authentication
- Remove redundant 'Active' status from Authentication section
- Remove Connection Timeout setting from frontend (backend-only)
- Clean up frontend console logging (reduce verbosity)
- Remove PBS polling interval setting (fixed at 10s)
- Add frontend rebuild detection to backend-watch script
- Improve first-run setup flow and error handling
