2026-04-17 · Security
Compliance + security scaffolding
- Session cookies moved to httpOnly — no more localStorage token exposure.
- CSP + HSTS headers shipped.
- HIBP breach check on password creation, CSRF double-submit, webhook retry with exponential backoff.
- GDPR export + delete endpoints, destructive-operation friction, Dependabot, security.txt, subprocessors page.