- Fix auth bypass in UpdatePost/DeletePost (missing return after auth check)
- Remove Spotify access token from callback response
- Replace internal error messages with generic responses in all handlers
- Harden GraphQL: complexity limit, disable playground/introspection in prod
- Add security headers (X-Frame-Options, HSTS, etc.) to nginx
- Disable Hasura console/dev mode in production
- Add DOMPurify sanitization to Markdown component
- Fix cookie removal to use correct domain/path from auth config
- Fix nil dereference in rowing handler when Claude API errors
- Fix wildcard CORS on stamp endpoint
- Pin nginx and certbot Docker image versions
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds Hasura v2.44.0 service connected to the existing Postgres database,
proxied through nginx at /hasura/ with WebSocket support for the console.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add alt attributes, width/height for CLS, aria-labels, meta description,
preconnect hints, LCP fetchpriority, and sound/stamp cache headers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Enable gzip compression in nginx, add cache-control headers for static assets,
convert fonts to WOFF2 with font-display swap, preload fonts, add lazy loading
to below-fold images, and remove unused font files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
