Release v0.1.7 — Security Hardening (OWASP Top 10) · trydirect/status

🔒 Security Release

This release addresses 6 Critical and 5 High severity findings from a comprehensive OWASP Top 10 audit.

No default credentials — login disabled until STATUS_PANEL_USERNAME/PASSWORD are configured
Container & SSL routes require authentication — /restart, /stop, /pause, /enable_ssl, /disable_ssl
AGENT_ID enforced — API endpoints reject requests when AGENT_ID is unset
Secure session cookies — HttpOnly; Secure; SameSite=Strict
Certbot injection prevented — email/domain values validated against shell metacharacters
Daemon command validation — shell fallback now passes through CommandValidator
Session TTL — cleanup_expired() removes stale sessions
Localhost by default — server binds 127.0.0.1 instead of 0.0.0.0
Logout invalidates session — server-side deletion + cookie cleared
HTTPS-only self-update — HTTP URLs rejected; SHA256 always computed
12 automated OWASP security tests added

status init — generates default config.json and .env template on first run
Friendly error message when config is missing (replaces stack trace)

After upgrading, ensure these environment variables are set:

STATUS_PANEL_USERNAME=your-username
STATUS_PANEL_PASSWORD=your-password
AGENT_ID=your-agent-id

Or run status init to generate a .env template.

Full changelog: https://github.com/trydirect/status/blob/master/CHANGELOG.md

feat: add 'status init' command for first-run config generation by @vsilent in #85
OWASP-10 security fixes by @vsilent in #86
release: v0.1.7 — security hardening (OWASP Top 10) by @vsilent in #87

Full Changelog: v0.1.6...v0.1.7