Security hardening release (from a full security audit). No user-facing feature changes.
Hardened
- CSRF defense on the device config UI: state-changing endpoints reject cross-origin requests, closing a hotspot-side CSRF vector.
- OTA downgrade protection: the device only updates strictly forward, so a spoofed manifest cannot force an older, vulnerable build.
- Supply chain: the browser flasher and product page no longer load code from a public CDN (esp-web-tools is vendored same-origin), both carry a strict Content-Security-Policy, all CI actions are pinned to commit SHAs, and the release workflow no longer interpolates the release tag into shell.
- Stricter IPv6 handling on the hotspot access check.
Notes
- Device settings are preserved (no config-layout change in this release).
- Known accepted limitation, tracked for a future release: OTA images are not yet cryptographically signed (secure-boot-free app signing is planned). Physical USB reflash remains a trusted operation by design.
Flash from https://crowpilot.in/crowmotion/ or the device's own Check for updates, or with esptool using the attached binaries.