Security
A second hardening pass on the Web UI, complementing the XSS / SSRF / CSRF fixes from v1.11.5. Recommended for everyone.
Webhook URL no longer logged in plaintext
The generic WEBHOOK_URL is now reported as "configured" on startup instead of printed in full. Prevents auth tokens (Ntfy, Gotify, Home Assistant) from leaking via docker logs or log aggregators.
Constant-time password comparison
Web UI Basic Auth now uses hmac.compare_digest instead of == for the password hash comparison, eliminating the theoretical timing side-channel.
settings.json permissions tightened to 0600
The persisted settings file (which contains webhook URLs and Telegram topic IDs) is now mode 0600 — owner-only read/write. Other containers sharing the data volume can no longer read it.
Cron schedule validation
Invalid cron expressions saved via the Web UI are now rejected with a clear error message instead of silently breaking the scheduler thread on the next tick. Examples that are now caught at save time:
every 5 minutes(text instead of cron)*/abc * * * *(non-numeric step)0 0-20/abc * * *(non-numeric step on a range)
Upgrade
docker pull amayer1983/docksentry:latest
docker compose up -dNo configuration changes required.