Three changes bundled.
1. Kobo multi-device sync no longer hides books on additional devices (#213)
Backport of crocodilestick/Calibre-Web-Automated#1351 by @raphi011.
Symptom: If you had two Kobo devices on the same Calibre-Web account, books synced on one device would become invisible to the others. Specifically: once any one of your devices had synced a book, subsequent sync responses to other devices on the same account would silently exclude that book.
Cause: HandleSyncRequest was filtering changed entries through the user-keyed KoboSyncedBooks table. Per-device sync state already lives in the x-kobo-synctoken cursor (the last_modified timestamp comparisons in the same query), so the user-keyed filter was both wrong and redundant. Plus a related bug where injecting magic-shelf membership into the inner OR bypassed the timestamp cursor and produced an infinite cont_sync loop on paginated sync.
Fix: Removed the KoboSyncedBooks filter and the magic-shelf inner injection. Magic-shelf membership is still correctly enforced by the OUTER filter (kobo_sync shelf OR magic-shelf) further down.
2. serve_book defense-in-depth response headers (#214)
Backport of janeczku/calibre-web#3624 by @jvoisin (c784149d).
serve_book returns the raw book file at /show/<book_id>/<book_format>. The PDF/generic response path now sets three defense-in-depth headers:
Content-Disposition: inlineX-Content-Type-Options: nosniffContent-Security-Policy: script-src 'none'; object-src 'none'
Prevents browsers from MIME-sniffing book content into an executable type or running inline scripts when rendering a hostile book payload inline. No known exploit shipped against Calibre-Web users; the headers cost nothing and close a class of attacks. Upstream PR has been sitting open ~31 days waiting for janeczku's release cycle. New tests/unit/test_serve_book_security_headers.py source-pins all three header assignments so a refactor can't silently drop them.
3. "Apply Default Settings" admin button is now red (#209)
Community contribution from @RichardGubijev.
One-line CSS class swap in cps/templates/cwa_settings.html:1218: btn-default (grey) → btn-danger (red). Reporter's rationale: they'd hit the destructive button by accident multiple times while looking for the "Submit" button next to it. The red colour matches the existing convention used by Restore Calibre Database and other destructive admin actions. Button position preserved (some users have muscle memory for the current layout).
Drop-in image: ghcr.io/new-usemame/calibre-web-nextgen:latest (multi-arch — linux/amd64 + linux/arm64) — same docker-compose.yml, swap the image line, restart. Tracker if anything's still broken: https://github.com/new-usemame/Calibre-Web-NextGen/issues.