Security Features Added:
- Secure-by-default configuration export/import with ALLOW_UNPROTECTED_EXPORT environment variable
- Rate limiting (5 attempts/minute) to prevent brute force attacks on sensitive endpoints
- Comprehensive audit logging for all export/import attempts with IP tracking
- Frontend Security tab showing API protection status and configuration guidance
- Frontend now shows when export is blocked and disables buttons appropriately
- Strong passphrase requirement (minimum 12 characters) for exports
Technical Implementation:
- New RateLimiter component with automatic cleanup and middleware support
- Security status API endpoint showing protection state
- Enhanced error messaging with specific guidance for homelab vs production use
- Proper authentication flow with API token validation
- Updated documentation reflecting new security model
Breaking Changes:
- Export/import now requires API_TOKEN unless ALLOW_UNPROTECTED_EXPORT=true is set
- Minimum passphrase length increased from none to 12 characters
Additional Improvements:
- Fixed architecture-specific updates for better cross-platform support
- Removed RC label from UI header
- Updated security documentation with clear setup instructions
