This release contains minor security and bug fixes.
Bug Fixes
Typo in graph labels
EBITDA had been mis-typed as EBTIDA in some static text.
Security Fixes
The following security fixes were implemented in this release.
JSON Web Token Signature
We improved our verification of the token payload.
HMAC Secret
We increased the complexity of the HMAC secret.
Mass Assignment
The /users endpoint was modified to prevent malicious users altering additional fields.
Reset Password Token Expiry
We have reduced the expiry timeout on reset password tokens to 48 hours.
Cross-origin Resource Sharing: Arbitrary Origin Low Trusted
Browsers are now instructed to only trust same-origin responses to prevent theoretical exploits such as framing the Wiserfunding portal inside another website.
Clickjacking: X-Frame-Options Header Missing
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
Content Security Policy (CSP)
Content Security Policy (CSP) is an added layer of security that helps browsers to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. The policy tells the browser what resources it is allowed to load for that page.
Referrer Policy Header Missing
Referrer Policy controls behaviour of the Referrer header, which indicates the origin or web page URL the request was made from. The Referrer-Policy header helps browsers not leak user information to third-party sites.
X-XSS-Protection Header Missing
The HTTP X-XSS-Protection response header is a feature of modern browsers that allows websites to block XSS auditors which could be used for a Cross-Site Scripting (XSS) attack.