Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-07 05:34:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
3x-ui/web
History
snvv133 3c11977c77 security: fix password log leak, getDb CSRF, cookie hardening 
1. web/controller/index.go
   Stop logging the submitted plaintext password on failed login.
   Replace it with "***" in the Telegram notification too.

2. web/controller/server.go + web/html/index.html
   Convert /panel/api/server/getDb from GET to POST and require an
   X-Requested-With header. Prevents <img>/<a>/<form> CSRF that would
   otherwise let an attacker steal the SQLite DB by tricking a logged-in
   admin into loading a single URL.

3. web/web.go
   Set Secure=true on the session cookie when TLS cert/key are configured,
   and tighten SameSite from Lax to Strict for the panel session.
2026-04-19 11:33:29 -07:00
..
assets Fix DeepLink for Happ, remove encoding URL (#3863) 2026-03-04 12:29:46 +01:00
controller security: fix password log leak, getDb CSRF, cookie hardening 2026-04-19 11:33:29 -07:00
entity feat: more subscription information fields (#3701) 2026-01-26 23:06:01 +01:00
global Refactor code and fix linter warnings (#3627) 2026-01-05 05:54:56 +01:00
html security: fix password log leak, getDb CSRF, cookie hardening 2026-04-19 11:33:29 -07:00
job update dependencies 2026-03-04 13:05:29 +01:00
locale update dependencies 2026-03-04 13:05:29 +01:00
middleware docs: add comments for all functions 2025-09-20 09:35:50 +02:00
network docs: add comments for all functions 2025-09-20 09:35:50 +02:00
service update dependencies 2026-03-04 13:05:29 +01:00
session docs: add comments for all functions 2025-09-20 09:35:50 +02:00
translation translate bug fix #3789 2026-02-14 21:41:20 +01:00
websocket Add url speed test for outbound (#3767) 2026-02-09 21:43:17 +01:00
web.go security: fix password log leak, getDb CSRF, cookie hardening 2026-04-19 11:33:29 -07:00