- Implemented CertificateExportDialog for exporting certificates in various formats (PEM, PFX, DER) with options to include private keys and set passwords.
- Created CertificateUploadDialog for uploading certificates, including validation and support for multiple file types (certificates, private keys, chain files).
- Updated DeleteCertificateDialog to use 'domains' instead of 'domain' for consistency.
- Refactored BulkDeleteCertificateDialog and DeleteCertificateDialog tests to accommodate changes in certificate structure.
- Added FileDropZone component for improved file upload experience.
- Enhanced translation files with new keys for certificate management features.
- Updated Certificates page to utilize the new CertificateUploadDialog and clean up the upload logic.
- Adjusted Dashboard and ProxyHosts pages to reflect changes in certificate data structure.
- Added guidance for Docker socket group access in docker-compose files.
- Introduced docker-compose.override.example.yml for supplemental group configuration.
- Improved entrypoint diagnostics to include socket GID and group guidance.
- Updated README with instructions for setting up Docker socket access.
- Enhanced backend error handling to provide actionable messages for permission issues.
- Updated frontend components to display troubleshooting information regarding Docker socket access.
- Added tests to ensure proper error messages and guidance are rendered in UI.
- Revised code coverage settings to include Docker service files for better regression tracking.
- Updated test scripts in package.json to set NODE_OPTIONS for increased memory limit.
- Added safety checks for remote servers and domains in ProxyHostForm component to prevent errors.
- Refactored Notifications tests to remove unnecessary use of fake timers and improve clarity.
- Updated ProxyHosts extra tests to specify button names for better accessibility.
- Enhanced Security functional tests by centralizing translation strings and improving mock implementations.
- Adjusted test setup to suppress specific console errors related to act() warnings.
- Modified vitest configuration to limit worker usage and prevent memory issues during testing.
- Removed unnecessary test.skip() calls in various test files, replacing them with comments for clarity.
- Enhanced retry logic in TestDataManager for API requests to handle rate limiting more gracefully.
- Updated security helper functions to include retry mechanisms for fetching security status and setting module states.
- Improved loading completion checks to handle page closure scenarios.
- Adjusted WebKit-specific tests to run in all browsers, removing the previous skip logic.
- General cleanup and refactoring across multiple test files to enhance readability and maintainability.
- Added IDs to input fields in CrowdSecConfig for better accessibility.
- Updated labels to use <label> elements for checkboxes and inputs.
- Improved error handling and user feedback in the CrowdSecConfig tests.
- Enhanced test coverage for console enrollment and banned IP functionalities.
fix: Update SecurityHeaders to include aria-label for delete button
- Added aria-label to the delete button for better screen reader support.
test: Add comprehensive tests for proxyHostsHelpers and validation utilities
- Implemented tests for formatting and help text functions in proxyHostsHelpers.
- Added validation tests for email and IP address formats.
chore: Update vitest configuration for dynamic coverage thresholds
- Adjusted coverage thresholds to be dynamic based on environment variables.
- Included additional coverage reporters.
chore: Update frontend-test-coverage script to reflect new coverage threshold
- Increased minimum coverage requirement from 85% to 87.5%.
fix: Ensure tests pass with consistent data in passwd file
- Updated tests/etc/passwd to ensure consistent content.
Aborted interactive rebase that caused repetitive conflict resolution
Restored manual fixes for ProxyHostForm z-index issues
Restored manual fixes for CrowdSecConfig JSX syntax
Updated .version to v0.18.13 to match git tag
Validated all changes with full pre-commit suite
Corrected JSX syntax errors in CrowdSecConfig and ProxyHostForm
Refactored ProxyHostForm to use shadcn Dialog, fixing z-index issues and unclickable modals
Removed duplicate logic blocks causing YAML errors in crowdsec-integration and e2e-tests workflows
Synced .version file with current git tag to satisfy validation checks
Restructure 7 modal components to use 3-layer architecture preventing
native select dropdown menus from being blocked by modal overlays.
Components fixed:
- ProxyHostForm: ACL selector and Security Headers dropdowns
- User management: Role and permission mode selection
- Uptime monitors: Monitor type selection (HTTP/TCP)
- Remote servers: Provider selection dropdown
- CrowdSec: IP ban duration selection
The fix separates modal background overlay (z-40) from form container
(z-50) and enables pointer events only on form content, allowing
native dropdown menus to render above all modal layers.
Resolves user inability to select security policies, user roles,
monitor types, and other critical configuration options through
the UI interface.
- Add `detectDNSProvider` and `getDetectionPatterns` functions in `dnsDetection.ts` for API interaction.
- Create `DNSDetectionResult` component to display detection results and suggested providers.
- Integrate DNS detection in `ProxyHostForm` with automatic detection for wildcard domains.
- Implement hooks for DNS detection: `useDetectDNSProvider`, `useCachedDetectionResult`, and `useDetectionPatterns`.
- Add tests for DNS detection functionality and components.
- Update translations for DNS detection messages.
- Implement DNSProviderCard component for displaying individual DNS provider details.
- Create DNSProviderForm component for adding and editing DNS providers.
- Add DNSProviderSelector component for selecting DNS providers in forms.
- Introduce useDNSProviders hook for fetching and managing DNS provider data.
- Add DNSProviders page for listing and managing DNS providers.
- Update layout to include DNS Providers navigation.
- Enhance UI components with new badge styles and improved layouts.
- Add default provider schemas for various DNS providers.
- Integrate translation strings for DNS provider management.
- Update Vite configuration for improved chunking and performance.
- Apply URL validation using security.ValidateWebhookURL() to all webhook
HTTP request paths in notification_service.go
- Block private IPs (RFC 1918), cloud metadata endpoints, and loopback
- Add comprehensive SSRF test coverage
- Add CodeQL VS Code tasks for local security scanning
- Update Definition of Done to include CodeQL scans
- Clean up stale SARIF files from repo root
Resolves CI security gate failure for CWE-918.
Add X-Real-IP, X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port headers to all proxy hosts for proper client IP detection, HTTPS enforcement, and logging.
- New feature flag: enable_standard_headers (default: true for new hosts, false for existing)
- UI: Checkbox in proxy host form and bulk apply modal for easy migration
- Security: Always configure trusted_proxies when headers enabled
- Backward compatible: Existing hosts preserve legacy behavior until explicitly enabled
BREAKING CHANGE: New proxy hosts will have standard headers enabled by default. Existing hosts maintain legacy behavior. Users can opt-in via UI.
Backend: 98.7% coverage, 8 new tests
Frontend: 87.7% coverage, full TypeScript support
Docs: Comprehensive migration guide and troubleshooting
Closes #<issue-number> (FileFlows WebSocket fix)
- Add new API-Friendly preset (70/100) optimized for mobile apps and API clients
- CORP set to "cross-origin" to allow mobile app access
- CSP disabled as APIs don't need content security policy
- Add tooltips to preset cards explaining use cases and compatibility
- Add warning banner in ProxyHostForm when Strict/Paranoid selected
- Warn users about mobile app compatibility issues
Presets now: Basic (65) < API-Friendly (70) < Strict (85) < Paranoid (100)
Recommended for: Radarr, Sonarr, Plex, Jellyfin, Home Assistant, Vaultwarden
- Add diagnostic logging to track security_header_profile_id conversions
- Replace silent failures with explicit HTTP 400 error responses
- Fix ProxyHostService.Update to properly handle nullable foreign keys
- Fix frontend dropdown to use explicit null checks (no falsy coercion)
- Add 7 comprehensive tests for profile assignment edge cases
Root cause: Backend handler had no else clause for type conversion failures,
causing old values to persist. Fixed by adding logging, error handling, and
changing service layer from Updates() to Select("*") for nullable FKs.
Refs: #<issue_number_if_applicable>
Implement complete workflow for assigning security header profiles
to proxy hosts via dropdown selector in ProxyHostForm.
Backend Changes:
- Add security_header_profile_id handling to proxy host update endpoint
- Add SecurityHeaderProfile preloading in service layer
- Add 5 comprehensive tests for profile CRUD operations
Frontend Changes:
- Add Security Headers section to ProxyHostForm with dropdown
- Group profiles: System Profiles (presets) vs Custom Profiles
- Remove confusing "Apply" button from SecurityHeaders page
- Rename section to "System Profiles (Read-Only)" for clarity
- Show security score inline when profile selected
UX Improvements:
- Clear workflow: Select profile → Assign to host → Caddy applies
- No more confusion about what "Apply" does
- Discoverable security header assignment
- Visual distinction between presets and custom profiles
Tests: Backend 85.6%, Frontend 87.21% coverage
Docs: Updated workflows in docs/features.md
- Created `qa-test-output-after-fix.txt` and `qa-test-output.txt` to log results of certificate page authentication tests.
- Added `build.sh` for deterministic backend builds in CI, utilizing `go list` for efficiency.
- Introduced `codeql_scan.sh` for CodeQL database creation and analysis for Go and JavaScript/TypeScript.
- Implemented `dockerfile_check.sh` to validate Dockerfiles for base image and package manager mismatches.
- Added `sourcery_precommit_wrapper.sh` to facilitate Sourcery CLI usage in pre-commit hooks.
- Introduced isolated coverage tests for ProxyHosts with various scenarios including rendering, bulk apply, and link behavior.
- Enhanced existing ProxyHosts coverage tests to include additional assertions and error handling.
- Added tests for Uptime component to verify rendering and monitoring toggling functionality.
- Created utility functions for setting labels and help texts related to proxy host settings.
- Implemented bulk settings application logic with progress tracking and error handling.
- Added toast utility tests to ensure callback functionality and ID incrementing.
- Improved type safety in test files by using appropriate TypeScript types.
- Added API integration for access lists including listing, creating, updating, deleting, and testing IPs against access lists.
- Created AccessListForm component for creating and editing access lists with validation.
- Developed AccessListSelector component for selecting access lists with detailed display of selected ACL.
- Implemented hooks for managing access lists and handling API interactions.
- Added tests for AccessListSelector and useAccessLists hooks to ensure functionality.
- Enhanced AccessLists page with UI for managing access lists, including create, edit, delete, and test IP features.
- Deleted `useSecurity.ts` hook which managed authentication users, providers, and policies.
- Removed `Policies.tsx`, `Providers.tsx`, and `Users.tsx` pages that utilized the above hook.
- Cleaned up the `index.tsx` file in the Security section to remove references to the deleted pages.
- Updated mock data by removing unused properties related to forward authentication.
- Introduced ForwardAuthConfig model to store global forward authentication settings.
- Updated Manager to fetch and apply forward authentication configuration.
- Added ForwardAuthHandler to create a reverse proxy handler for authentication.
- Enhanced ProxyHost model to include forward authentication options.
- Created Security page and ForwardAuthSettings component for managing authentication settings.
- Implemented API endpoints for fetching and updating forward authentication configuration.
- Added tests for new functionality including validation and error handling.
- Updated frontend components to support forward authentication settings.
