Skip to content

CrowMotion 0.1.2

Latest

Choose a tag to compare

@pa-ra-kram pa-ra-kram released this 02 Jul 18:54

Security hardening release (from a full security audit). No user-facing feature changes.

Hardened

  • CSRF defense on the device config UI: state-changing endpoints reject cross-origin requests, closing a hotspot-side CSRF vector.
  • OTA downgrade protection: the device only updates strictly forward, so a spoofed manifest cannot force an older, vulnerable build.
  • Supply chain: the browser flasher and product page no longer load code from a public CDN (esp-web-tools is vendored same-origin), both carry a strict Content-Security-Policy, all CI actions are pinned to commit SHAs, and the release workflow no longer interpolates the release tag into shell.
  • Stricter IPv6 handling on the hotspot access check.

Notes

  • Device settings are preserved (no config-layout change in this release).
  • Known accepted limitation, tracked for a future release: OTA images are not yet cryptographically signed (secure-boot-free app signing is planned). Physical USB reflash remains a trusted operation by design.

Flash from https://crowpilot.in/crowmotion/ or the device's own Check for updates, or with esptool using the attached binaries.