github murtaza-nasir/speakr v0.10.1-alpha

2 hours ago

Release Notes - v0.10.1-alpha

A security-hardening release. Upgrading is recommended for all deployments. It is backwards compatible with the v0.10.x line and involves no database migrations. There are no functional changes to recording, transcription, or summarization.

Session and token security

  • The insecure built-in secret key is no longer used. Previous versions fell back to a hardcoded, publicly known key when SECRET_KEY was unset. That key signs session cookies and password-reset tokens, so any deployment that never set SECRET_KEY could have its cookies and reset links forged. The application now refuses that default and, when SECRET_KEY is unset, generates a strong random key on first start and persists it under the instance directory (captured by a normal data-volume backup). Setting SECRET_KEY explicitly is still recommended for multi-host deployments and key rotation; see the installation guide. The key does not encrypt stored data, so upgrading only requires users to log in again once.
  • Password-reset links are single-use. Reset tokens are now bound to server-side state, so a used or superseded link is rejected immediately instead of remaining valid for its full lifetime. Changing the password also invalidates any outstanding reset link.

Response headers and content security

  • Security headers are set by the application. X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, a Content-Security-Policy, and (over HTTPS) Strict-Transport-Security are now emitted on every response, so a deployment without a hardening reverse proxy is still protected. These can be tuned or disabled with SECURITY_HEADERS_ENABLED, CONTENT_SECURITY_POLICY, and HSTS_HEADER.
  • Markdown-rendered content is sanitized. Chat answers, Inquire answers, and admin banner/disclaimer text are sanitized with DOMPurify before display, so HTML embedded in model output or settings cannot execute in the browser.
  • Third-party CDN dependencies removed. Chart.js (admin dashboard) and DOMPurify are now bundled locally with the other vendored assets instead of being loaded from a third-party CDN at runtime.

Access control

  • The admin user list no longer over-shares. A group administrator who is not a site administrator now sees only the members of the groups they administer, rather than the entire user directory.
  • Bulk tagging enforces group membership. Applying a group tag to multiple recordings now requires membership in that tag's group, matching the single-tag endpoints.
  • Logout is CSRF-protected. Signing out is now a POST action, so a cross-site request can no longer force a logout.

Configuration

New optional environment variables, all with safe defaults:

Variable Default Purpose
SECURITY_HEADERS_ENABLED true Set false if your reverse proxy already sets all security headers.
CONTENT_SECURITY_POLICY built-in policy Override the entire Content-Security-Policy.
HSTS_HEADER max-age=63072000; includeSubDomains Tune or disable (empty string) the HSTS header.
SECRET_KEY_FILE (derived) Path to the persisted auto-generated key, if you want to relocate it.

Compatibility

Backwards compatible with the v0.10.x line; no database migrations. On first start after upgrade, deployments that never set SECRET_KEY will generate and persist one automatically, which logs existing users out once. To avoid the one-time re-login and to control the key across hosts, set SECRET_KEY explicitly before upgrading.

Don't miss a new speakr release

NewReleases is sending notifications on new releases.