| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-06-03 | fix: add CSRF and WebSocket origin protection to Claudomator proxy | Peter Stone | |
| Token-based CSRF is impractical for a reverse proxy whose UI doesn't know Doot's session tokens, so state-changing requests to /claudomator/* are now validated against the configured WebAuthn origin via Origin/Referer header. WebSocket upgrades reject mismatched or missing Origin headers before hijacking the connection. Both checks are no-ops when WebAuthnOrigin is unset (local dev). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> | |||
| 2026-03-25 | feat: gate Claudomator UI behind Doot session auth via reverse proxy | Doot Agent | |
| Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> | |||
