Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 21:24:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
3x-ui/web/controller
History
snvv133 3c11977c77 security: fix password log leak, getDb CSRF, cookie hardening 
1. web/controller/index.go
   Stop logging the submitted plaintext password on failed login.
   Replace it with "***" in the Telegram notification too.

2. web/controller/server.go + web/html/index.html
   Convert /panel/api/server/getDb from GET to POST and require an
   X-Requested-With header. Prevents <img>/<a>/<form> CSRF that would
   otherwise let an attacker steal the SQLite DB by tricking a logged-in
   admin into loading a single URL.

3. web/web.go
   Set Secure=true on the session cookie when TLS cert/key are configured,
   and tighten SameSite from Lax to Strict for the panel session.
2026-04-19 11:33:29 -07:00
..
api.go API improve security: returns 404 for unauthenticated API requests 2025-09-24 11:29:55 +02:00
base.go docs: add comments for all functions 2025-09-20 09:35:50 +02:00
inbound.go bug fix #3785 2026-02-11 22:21:09 +01:00
index.go security: fix password log leak, getDb CSRF, cookie hardening 2026-04-19 11:33:29 -07:00
server.go security: fix password log leak, getDb CSRF, cookie hardening 2026-04-19 11:33:29 -07:00
setting.go docs: add comments for all functions 2025-09-20 09:35:50 +02:00
util.go docs: add comments for all functions 2025-09-20 09:35:50 +02:00
websocket.go feat: Add WebSocket support for real-time updates and enhance VLESS settings (#3605) 2026-01-03 05:26:00 +01:00
xray_setting.go fix security issue 2026-02-09 23:36:10 +01:00
xui.go API improve security: returns 404 for unauthenticated API requests 2025-09-24 11:29:55 +02:00