- Hash session tokens (SHA-256) before storing in DB; migration for existing tokens
- Enforce 12-char password minimum on self-service change (was 8, creation was 12)
- Increase scrypt cost N=16384→65536 with progressive rehash on login
- Add MC_PROXY_AUTH_TRUSTED_IPS to restrict proxy auth header spoofing
- Enable HSTS by default in production (opt-out via MC_DISABLE_HSTS=1)
- Restrict debug endpoint to allowlisted gateway API paths (SSRF prevention)
- Default session cookie secure=true in production
- Gate MC_DISABLE_RATE_LIMIT on NODE_ENV !== 'production'
- Remove password value from insecure-default log warning
- chmod 600 generated secrets file in Docker entrypoint
Nyk