Security Update: .env Migration, JWT Hardening & Rate Limiting
🛡️ Platform Security Hardened
We've completed a major security audit and implemented multiple layers of protection across the entire platform.
✅
.env files moved outside public directories
All API keys and secrets now stored in /home/gositeme/.gocodeme/ and /home/gositeme/env/ — inaccessible via web
All API keys and secrets now stored in /home/gositeme/.gocodeme/ and /home/gositeme/env/ — inaccessible via web
✅
JWT auto-refresh with 7-day grace period
Expired tokens automatically refreshed within grace period. No more unexpected logouts.
Expired tokens automatically refreshed within grace period. No more unexpected logouts.
✅
Rate limiting: 180 req/min per user
DDoS protection with IP-based and user-based rate limiting. Probe detection and auto-blocking.
DDoS protection with IP-based and user-based rate limiting. Probe detection and auto-blocking.
✅
Dashboard redirect loop fixed
Resolved infinite redirect issue caused by session handling bug. Dashboard now loads instantly.
Resolved infinite redirect issue caused by session handling bug. Dashboard now loads instantly.
✅
Selective 401 handling
Authentication redirects now scoped to SSO endpoint only. Secondary API failures handled gracefully.
Authentication redirects now scoped to SSO endpoint only. Secondary API failures handled gracefully.
Someone from somewhere
just launched website.com
Just now