jonradoff/lightcms

v4.2.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 2mo Productivity & Wikis

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

agentic-workflow content-management-system mcp website-development websites

Affected surfaces

auth rbac

Summary

AI summary

Added a configurable AI chat widget and eight fork workspace management tools.

Full changelog

What's New in v4.2.0

AI Chat Widget

Add a floating AI assistant to any page with a single <script> tag. Visitor queries run a two-phase pipeline: hybrid semantic+fulltext search retrieves relevant excerpts, then Claude Haiku synthesizes a conversational answer streamed live via SSE. Works without an Anthropic key as a pure search experience. Fully configurable from the admin panel — title, colors, position, prompt templates, rate limits.

Fork MCP Tools (8 new tools → 72 total)

Eight dedicated tools for fork workspace management: list_forks, create_fork, get_fork, fork_page, remove_fork_page, merge_fork, archive_fork, delete_fork. Forks let you stage and preview sets of page edits before merging to live.

Security Hardening

SecurityHeaders middleware: CSP (path-aware admin vs. public policy), HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
SESSION_SECRET enforced at 32+ characters; server refuses to start with a weak secret
Trusted proxy config: TrustFlyProxy reads the unspoofable Fly-Client-IP header in cloud deployments
Chat endpoint: separate per-IP (5/min) and global (30/min) rate limiters, prompt injection defense
API body size cap on all endpoints

Performance

Optimized content query paths
Bulk content operations (up to 100 pages per call)
export_content for transform/re-import pipelines

Previous release: v1.1 · Full changelog: CHANGELOG.md

Security Fixes

`SecurityHeaders` middleware adds CSP, HSTS, X-Frame-Options, Referrer-Policy
`SESSION_SECRET` now required to be at least 32 characters; server refuses start with weak secret
Chat endpoint includes per‑IP (5/min) and global (30/min) rate limiters plus prompt injection defense

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track jonradoff/lightcms

Get notified when new releases ship.

About jonradoff/lightcms

AI-native CMS with 72 MCP tools for managing websites through natural language. Create and publish content, manage templates, assets, snippets, themes, collections, redirects, and multi-site forks — with full content versioning and semantic search.

All releases →