Summary
- Trusted proxy handling now ignores forwarded host and prefix headers, preventing reverse-proxy host header poisoning from influencing generated application URLs. Password reset links are now generated from
APP_URLinstead of request host headers.
Upgrade Notes
- No database migrations or new environment variables are required.
- Confirm
APP_URLis set to the public base URL for the installation, because password reset links now use it as their canonical origin. - Rebuild and restart the VolumeVault container after upgrading.
Verification
- Local verification before release included
docker run --rm --user "$(id -u):$(id -g)" -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php artisan changelog:validate v1.16.1 --release --no-interaction. - Local verification before release included
docker run --rm --user "$(id -u):$(id -g)" -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php artisan test --compact. - Local verification before release included
npm run build. - Local verification before release included
docker run --rm --user "$(id -u):$(id -g)" -v "/home/darkdragon/VolumeVault:/app" -w /app volumevault:local php ./vendor/bin/pint --dirty --format agent.