- Remove send-path keyword blocklist that silently rejected legitimate
messages (e.g. "constructor", "global", "document.", literal "javascript:")
without adding protection. XSS is enforced at the rendering boundary by the
receive-side DOMPurify pass and by sanitizeMessage() before encryption.
- Preserve newlines/tabs/indentation in _sanitizeInputString; stop collapsing
all whitespace which destroyed multi-line messages and code snippets.
- Stop logging raw AAD (sessionId + keyFingerprint) on validation failure;
log length only, in both message and file-message AAD validators.
- Add Strict-Transport-Security (2y + preload) and Permissions-Policy
(camera=self for QR, rest denied) to nginx.conf and .htaccess.
- Add tests/outgoing-message-integrity.test.mjs regression suite.
- nginx: asset extensions use try_files $uri =404 so a missing file (e.g.
config/ice-servers.js) no longer serves index.html with the wrong content type
- add config/ice-servers.prod.js (public STUN, no secrets); Dockerfile copies it
to the git-ignored config/ice-servers.js so the operator-override path exists
lockbitchat