TREK

Security Hardening

• JWT Secret: Empty default in docker-compose so auto-generation kicks in (prevents predictable secrets)
• OIDC: Token passed via URL fragment instead of query param (no longer in server logs/browser history)
• SVG Upload blocked: Photos, files and covers now reject SVG uploads (stored XSS prevention)
• Helmet: Added security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
• Body limit: Explicit 100kb JSON body size limit
• XSS fix: Escaped image_url in Leaflet map marker HTML
• WebSocket: Removed verbose debug logging from client

Backup Restore Fix

• Critical: Fixed permanent server crash after backup restore — DB connection now always reopens via try/finally
• EBUSY fix: Uploads restored in-place instead of rmSync (which failed because express.static held the directory)
• DB proxy: Added null guard for clearer error messages during restore window

Restore Warning Modal

• Red warning popup before restoring a backup (replaces browser confirm())
• Explains that all data will be permanently replaced
• Tip to create a backup before restoring
• Supports DE/EN and dark mode

Demo Banner

• Fixed i18n for demo login button (was hardcoded German)
• Fixed icon alignment in addon list
• Added addon management & OIDC to full version features