FableCut v1.3.1 — security hardening
Security
Hardening of the local server against network and drive-by attacks, prompted by
the report in #1 — thanks
@suthakamal2.
- The server now binds 127.0.0.1 only by default (previously all
interfaces, reachable from the whole LAN). Deliberate LAN use is an explicit
opt-in:HOST=0.0.0.0 node server.jsplus
FABLECUT_ALLOWED_HOSTS=192.168.1.20,mybox.local. - Every request is checked against a Host-header allowlist
(localhost/127.0.0.1/[::1] + the opt-ins above), which defeats DNS-rebinding
attacks, and — when the browser sends one — an Origin allowlist, which
defeats blind cross-origin writes from malicious web pages (e.g. a drive-by
POST /api/uploadcarried a no-preflight raw body). - The static file server no longer serves dot-files or dot-directories
(.git/,.gitignore, …), and both path-traversal guards now use
separator-anchored directory prefixes.
Added
- The default asset library now ships with the repo where licensing allows:
20 Google Fonts inlibrary/fonts/(OFL, listed inLICENSES.md) and the
self-authored overlay SVGs inlibrary/elements/.library/sfx/stays
local-only (SFX-site licenses generally prohibit redistribution) — its new
README points to good free sources.