🔒 Security Fixes
- cryptography 46.0.3 - Fixes 2 CVEs (vulnerable OpenSSL in wheels)
- bcrypt password hashing - Replaced SHA-256 with bcrypt (resistant to GPU/ASIC attacks)
- Secure session cookies - Added secure=auto, samesite=Strict flags
- CORS restrictions - Configurable via CORS_ORIGINS environment variable
- Brute-force protection - Login rate limiting (5 attempts/minute with Retry-After header)
🔧 Code Quality Improvements
- New constants.py module with CERTIFICATE_FILES tuple and get_domain_name() helper
- Replaced bare except: clauses with specific exception handling
- Added input validation for days_valid (1-3650 days) and common_name (max 64 chars)
📚 Documentation
- Added SAN (Subject Alternative Names) certificates API documentation
- Security comments in .gitignore
✅ Tests
- All 32 tests pass
- No regressions