MeshMonitor v2.4.0

This release focuses on critical security hardening and dramatically simplified deployment for new users.

Important Note for Reverse Proxy Users

If you are using a Reverse Proxy, you will need to add a few new variables to your Docker Compose setup:

ALLOWED_ORIGINS=https://servername
COOKIE_SECURE=true
TRUST_PROXY=true

Without these, you'll just get a white page.

🔒 Security Improvements

Phase 1 Critical Security Hardening (#183)

Comprehensive security audit and implementation of critical fixes:

• Helmet.js Security Headers: Environment-conditional CSP, HSTS, and security headers
• CORS Whitelist Protection: Origin validation with ALLOWED_ORIGINS support
• CSRF Protection: Modern double-submit cookie pattern replacing deprecated csurf
• Multi-tier Rate Limiting: Environment-aware rate limits (10k req/15min dev, 1k prod)
• SESSION_SECRET Enforcement: Required in production with clear error messages
• Request Size Limits: 10MB body size protection
• Removed Vulnerable Dependencies: Eliminated deprecated csurf package

Security Score Improvement: 6/10 → 8/10

• ✅ 0 critical vulnerabilities (was 4)
• ✅ 0 high vulnerabilities (was 4)
• ✅ OWASP Top 10 compliance: 50% → 75%

🚀 Simplified Deployment

One-Line Quick Start (#184)

Getting started is now under 60 seconds with minimal configuration:

# Only ONE environment variable required!
cat > docker-compose.yml << 'EOF'
services:
  meshmonitor:
    image: ghcr.io/yeraze/meshmonitor:latest
    container_name: meshmonitor
    ports:
      - "8080:3001"
    volumes:
      - meshmonitor-data:/data
    environment:
      - MESHTASTIC_NODE_IP=192.168.1.100
    restart: unless-stopped

volumes:
  meshmonitor-data:
EOF

docker compose up -d

What Changed?

• ✅ Works over HTTP out of the box (no HTTPS required)
• ✅ Auto-generates SESSION_SECRET (no manual setup)
• ✅ Secure cookies automatically configured
• ✅ Development mode as default for simple deployments
• ✅ No complex configuration needed for basic usage

📚 Documentation Improvements

• Updated homepage Quick Start to match simplified approach
• Added "What Just Happened?" section explaining security defaults
• Comprehensive production deployment checklist
• Added new screenshot images for features
• VitePress configuration improvements

🔧 Dependency Updates

Multiple Dependabot updates merged:

• Vite 5.4.20 → 7.1.9
• React 18 → 19
• Concurrently 8.2.2 → 9.2.1
• TypeScript 5.9.2 → 5.9.3
• Updated GitHub Actions dependencies
• Development dependencies updated (#171)

🔄 CI/CD Improvements

• Added Dependabot auto-merge workflow (#182)
• Updated CodeQL action v2 → v3 (#106)
• Updated Codecov action v3 → v5 (#105)
• Improved paths-filter action (#104)

🐛 Bug Fixes

• Comprehensive cookie security warnings and diagnostics (#176, #181)
• CSRF token validation now properly enforced on all mutation endpoints
• Rate limiting now environment-aware to prevent false positives in development

⚠️ Breaking Changes

Production Deployments Only:

• SESSION_SECRET environment variable now required in production mode
• Set NODE_ENV=production for production deployments
• CSRF tokens now required for all POST/PUT/DELETE/PATCH requests
• Rate limiting enforced (1000 requests per 15 minutes in production)

Development/Home Deployments: No breaking changes - everything works out of the box!

📦 Installation

Docker (Recommended)

docker pull ghcr.io/yeraze/meshmonitor:v2.4.0

Kubernetes (Helm)

helm repo add meshmonitor https://yeraze.github.io/meshmonitor
helm install meshmonitor meshmonitor/meshmonitor --version 2.4.0

🔗 Links

• Documentation
• Getting Started Guide
• Production Deployment Guide
• Security Audit Report

📝 Full Changelog

Features:

• feat: Phase 1 Critical Security Hardening (#183)
• feat: add Dependabot auto-merge workflow (#182)

Documentation:

• docs: simplify Quick Start to match streamlined deployment (#184)

Dependencies:

• chore(deps-dev): Bump the development-dependencies group (#171)
• chore(deps): Bump codecov/codecov-action from 3 to 5 (#105)
• chore(deps): Bump github/codeql-action from 2 to 3 (#106)
• chore(deps): Bump dorny/paths-filter from 2 to 3 (#104)
• Multiple other dependency updates

Fixes:

• fix: add comprehensive cookie security warnings and diagnostics (#176, #181)

Full Changelog: v2.3.1...v2.4.0

🤖 Generated with Claude Code

🚀 MeshMonitor v2.4.0

📦 Installation

Docker (recommended):

docker run -d \
  --name meshmonitor \
  -p 8080:3001 \
  -v meshmonitor-data:/data \
  ghcr.io/Yeraze/meshmonitor:v2.4.0

🧪 Testing

✅ All tests passed
✅ TypeScript checks passed
✅ Docker images built for linux/amd64, linux/arm64, linux/arm/v7

📋 Changes

See commit history for detailed changes.