Follow-ups from the cloud feature security review. None are blockers for shipping.
- Validate presigned URL hosts — Before PUT/GET, check that
upload_url,video_url, andmetadata_urlpoint to expected storage hosts (defense in depth on top of API trust). - Tighten drag-drop job ID handling — Drop the
text/plainfallback inreadCloudJobDragId; only accept the customapplication/x-replay-cloud-jobMIME type.
- Confirm IDOR protection — Every job list/load/delete/upload operation validates session ownership.
- CORS + cookies — Allow the GitHub Pages origin with credentials; same setup for SSE (
/events). - CSRF protection — Cookie-authenticated POST/DELETE endpoints are protected.
- Presigned URLs — Scoped, short-lived, and restricted to storage hosts only.
- Server-side upload limits — Enforce type, size, and duration limits matching the client (500 MB, 2 min,
.mp4/.mov).
- Un-ignore
.env.local.example— Add!.env.local.exampleto.gitignoreso the dev setup doc can be committed without exposing secrets.