Skip to content

webpeel/webpeel

v0.21.87 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 2mo MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 5 known CVEs

Topics

ai-agent ai-agents browser-automation claude-code codex content-extraction
+14 more
cursor firecrawl-alternative mcp mcp-server model-context-protocol llm screenshot structured-data token-efficiency typescript web-crawler web-data web-scraping web-search

Affected surfaces

auth rbac

Summary

AI summary

Helmet.js security headers, GDPR deletion endpoint, and audit logging harden the platform.

Full changelog

What's New

Security Hardening

  • Helmet.js security headers (HSTS, X-Frame-Options, nosniff, XSS protection)
  • GDPR data deletion endpoint (DELETE /v1/account)
  • Audit logging on all API endpoints
  • Webhook HMAC-SHA256 signing
  • X-Data-Retention header

Content Quality

  • Readability quality check — falls back when <15% of content extracted
  • HTML table preservation in markdown (Wikipedia, data pages)
  • AI summary quality boost (80→250 tokens, inline citations)
  • Turndown crash fix for malformed HTML tables

New Features

  • webpeel monitor CLI command (content change detection with diffs)
  • Device scale factor for crisp mobile screenshots
  • Search history in widget (localStorage)
  • 3 SEO blog posts (comparison, Amazon tutorial, price monitoring)

Infrastructure

  • Vercel Analytics on all 54 pages
  • Security page (/security) and SLA page (/sla)
  • Postman collection (10 endpoints)
  • Email alerts at 80%/90% quota usage
  • Anonymous search limit increased (3→10/day)

Bug Fixes

  • CLI screenshot routing (forced local browser for Amazon/eBay)
  • SearXNG port exposure fixed (bound to localhost)
  • SSH hardened (MaxAuthTries 3, LoginGraceTime 30s, Fail2Ban 24h bans)
  • Crawl speed improved (1000ms→500ms rate limit)

Security Fixes

  • Helmet.js adds HSTS, X-Frame-Options, nosniff, XSS protection headers
  • GDPR data deletion endpoint `DELETE /v1/account`
  • Audit logging on all API endpoints
  • Webhook HMAC-SHA256 signing
  • X-Data-Retention header
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track webpeel/webpeel

Get notified when new releases ship.

Sign up free

About webpeel/webpeel

Smart web fetcher for AI agents with auto-escalation from HTTP to headless browser to stealth mode. Includes 9 MCP tools: fetch, search, crawl, map, extract, batch, screenshot, jobs, and agent. Achieved 100% success rate on a 30-URL benchmark.

All releases →

Related context

Beta — feedback welcome: [email protected]