🔒 Security Hardening Release
This release includes a comprehensive security overhaul addressing multiple critical vulnerabilities reported by the community.
Security Fixes
- SQL injection prevention — Strict whitelist validation on sort order parameters (#713)
- Reflected XSS fix — HTML-encode user input in auth page error messages (#714)
- Stored XSS fix — Sanitize content preview output + add role checks (#715)
- Security headers — CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy (#708)
- Auth rate limiting — Prevent brute-force attacks on login/register endpoints (#707)
- CORS restrictions — Restrict cross-origin API access to explicit allowed origins (#706)
- PBKDF2 password hashing — Replace SHA-256 with proper key derivation (#705)
- JWT secret configuration — Move from hardcoded fallback to environment variable (#704)
- CSRF protection — Signed double-submit cookie pattern (#702)
- Startup security verification — Warn on insecure configuration at boot (#701)
- Form submission XSS — Sanitize stored form data (#700)
- SQLi in database tools — Clean up database tools queries (#699)
Bug Fixes
- Radio field type now fully supported in collection builder and forms (#723)
- Confirm dialogs added for repeater/block item deletes (#722)
- Rich text editor field types added to FieldType union (#721)
- Astro integration guide updated for v2.8.0 (#720)
- user_profiles migration moved to core package (#718)
- itemTitle support for structured array item labels (#725)
- Content Info panel timestamps fixed (#703)
Dependency Updates
- undici, wrangler, hono, picomatch, rollup, flatted, yaml, next, axios
Installation
npm create sonicjs@latest my-appOr update existing project:
npm install @sonicjs-cms/core@2.8.3⚠️ Action Required
After updating, set these environment variables for full security:
wrangler secret put JWT_SECRET
wrangler secret put CORS_ORIGINS # comma-separated allowed originsCredit
Security vulnerabilities reported by Zhengyu Wang and the SonicJS community.