Release Notes - v0.10.1-alpha
A security-hardening release. Upgrading is recommended for all deployments. It is backwards compatible with the v0.10.x line and involves no database migrations. There are no functional changes to recording, transcription, or summarization.
Session and token security
- The insecure built-in secret key is no longer used. Previous versions fell back to a hardcoded, publicly known key when
SECRET_KEYwas unset. That key signs session cookies and password-reset tokens, so any deployment that never setSECRET_KEYcould have its cookies and reset links forged. The application now refuses that default and, whenSECRET_KEYis unset, generates a strong random key on first start and persists it under the instance directory (captured by a normal data-volume backup). SettingSECRET_KEYexplicitly is still recommended for multi-host deployments and key rotation; see the installation guide. The key does not encrypt stored data, so upgrading only requires users to log in again once. - Password-reset links are single-use. Reset tokens are now bound to server-side state, so a used or superseded link is rejected immediately instead of remaining valid for its full lifetime. Changing the password also invalidates any outstanding reset link.
Response headers and content security
- Security headers are set by the application.
X-Frame-Options,X-Content-Type-Options,Referrer-Policy,Permissions-Policy, aContent-Security-Policy, and (over HTTPS)Strict-Transport-Securityare now emitted on every response, so a deployment without a hardening reverse proxy is still protected. These can be tuned or disabled withSECURITY_HEADERS_ENABLED,CONTENT_SECURITY_POLICY, andHSTS_HEADER. - Markdown-rendered content is sanitized. Chat answers, Inquire answers, and admin banner/disclaimer text are sanitized with DOMPurify before display, so HTML embedded in model output or settings cannot execute in the browser.
- Third-party CDN dependencies removed. Chart.js (admin dashboard) and DOMPurify are now bundled locally with the other vendored assets instead of being loaded from a third-party CDN at runtime.
Access control
- The admin user list no longer over-shares. A group administrator who is not a site administrator now sees only the members of the groups they administer, rather than the entire user directory.
- Bulk tagging enforces group membership. Applying a group tag to multiple recordings now requires membership in that tag's group, matching the single-tag endpoints.
- Logout is CSRF-protected. Signing out is now a POST action, so a cross-site request can no longer force a logout.
Configuration
New optional environment variables, all with safe defaults:
| Variable | Default | Purpose |
|---|---|---|
SECURITY_HEADERS_ENABLED
| true
| Set false if your reverse proxy already sets all security headers.
|
CONTENT_SECURITY_POLICY
| built-in policy | Override the entire Content-Security-Policy. |
HSTS_HEADER
| max-age=63072000; includeSubDomains
| Tune or disable (empty string) the HSTS header. |
SECRET_KEY_FILE
| (derived) | Path to the persisted auto-generated key, if you want to relocate it. |
Compatibility
Backwards compatible with the v0.10.x line; no database migrations. On first start after upgrade, deployments that never set SECRET_KEY will generate and persist one automatically, which logs existing users out once. To avoid the one-time re-login and to control the key across hosts, set SECRET_KEY explicitly before upgrading.