·
96 commits
to main
since this release
Immutable
release. Only release title and notes can be modified.
What's Changed
Security Fixes
- fix(security): add ReferrerPolicy header for CSRF validation - Browsers were not sending Referer header required by Fiber's CSRF middleware, causing "referer not supplied" validation failures on HTTPS
- fix(security): remove Cross-Origin-Embedder-Policy header - The default COEP header was breaking browser extensions like Bitwarden
Developer Experience
- chore: migrate dev tools to go tool directive - Dev tools (templ, golangci-lint, goimports, gofumpt) now use Go 1.24+ tool directives for version-locked consistency