2.1.0 - security, sessions and Admin panel
What's new:
Security & sessions - Reverse-proxy aware: auto-detect HTTPS via X-Forwarded-Proto, CF-Visitor, X-Forwarded-SSL.
- Real client IP resolved via
CF-Connecting-IP/X-Real-IP(fixes rate-limit collapse behind CloudFlare). - Fixed admin login redirect loop (ERR_TOO_MANY_REDIRECTS) caused by relativesession.save_pathunder PHP-FPM. session.gc_maxlifetimesynced withSESSION_MAX_LIFETIMEto prevent premature logout.IP_HASH_SALTauto-generated on first request and persisted toincludes/.secret_salt(chmod 0600, gitignored).- New
tmp/.htaccessdenies HTTP access to session files. - Hardened
session_regenerate_id()flow inlogin.php.
Admin panel
- Improved 403 page on
admin/— shows current user, role, and required role for faster debugging.
CI / release
- Fixed Docker Hub build tag pattern (now matches both
v1.2.3and bare1.2.3semver tags). - Release ZIP excludes hardened:
tmp/,cypress/,node_modules/,package*.json,.claude/,includes/.secret_salt. - Removed dead
e2e-tests.ymlworkflow (Cypress not in repo). - CodeQL no longer references non-existent
classicbranch. - PHP lint now runs matrix across PHP 8.1, 8.2, 8.3.
vanilla-check.ymlextended withchart.js,swiper,htmx,gsap,three,stimulus,d3.
Docs
- README updated: badges refreshed,
IP_HASH_SALTbehaviour documented, reverse-proxy notes added, tag examples corrected (X.Y.Znot
vX.Y.Z).
Upgrade notes
- No breaking changes. Existing
database.jsonand configuration are preserved. - Behind reverse proxy: no action required — detection is automatic.
- Multi-server deployments should set
IP_HASH_SALTexplicitly so all nodes share the same salt.