03b75e8a7b
CRITICAL fixes: - OTP code comparison now uses constant-time compare (timing attack) - Backdoor code comparison now uses constant-time compare (timing attack) HIGH fixes: - CORS policy restricted to allowlist (was wildcard *) - Added security headers middleware (X-Frame-Options, X-Content-Type-Options, CSP, etc.) See docs/SECURITY-AUDIT-2026-02-28.md for full audit report including 4 MEDIUM and 3 LOW/INFO findings documented for future work. |
||
|---|---|---|
| .. | ||
| chat.go | ||
| handlers.go | ||
| integration_test.go | ||
| middleware.go | ||
| middleware_test.go | ||
| routes.go | ||