lilith-platform.live/users
Natalie 628efd58eb fix(security): CSRF guard on the redroid loopback services
adb-keyboard (/text,/key inject keystrokes into the signed-in Android session) had
no origin/CSRF protection — while the SSH tunnel is up, any site open in the browser
could POST cross-origin as a CORS simple request and type into redroid. Now require
a non-foreign Origin AND Content-Type: application/json (cross-site can't set it
without a preflight we never grant); client sends the JSON header. Same guard added
to the mrnumber-ocr service (reject foreign Origin). Deployed to 45.55.191.82 +
verified: foreign-Origin and no-content-type POSTs → 403, legit → 200.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 09:48:18 -04:00
..
transquinnftw fix(security): CSRF guard on the redroid loopback services 2026-06-28 09:48:18 -04:00