4 releases 4 tags

RSS feed

• 0.4.2 16bc2ab81b

  Compare

  0.4.2 (Alpha) Pre-release

  Rinanyae released this 2026-05-20 15:37:20 +00:00 | 11 commits to main since this release

  Arcane Status v0.4.2

  Security & Reliability Improvements

  Safer URL Monitoring

  Fixed an issue where monitored websites could redirect checks to private or internal network addresses. In rare cases, this could have allowed requests to reach internal systems or cloud metadata services.

  What changed

  • Redirects are no longer automatically followed during monitor checks.
  • Redirect responses are still treated as healthy when appropriate, keeping previous behavior consistent.

  ---

  Better Protection Against DNS Redirect Abuse

  Previously, website addresses were only validated when a monitor was created or updated. If the DNS record later changed to point somewhere private or internal, Arcane Status could still attempt the request.

  What changed

  • Endpoint validation now runs on every check.
  • DNS records are re-verified before each request.
  • Unsafe or invalid destinations are automatically blocked and marked as down with a clear reason.

  ---

  Improved Authentication Security

  Arcane Status previously generated a temporary JWT_SECRET automatically if one was missing. This caused all login sessions to become invalid after every restart and could also break encrypted SMTP credentials without making the issue obvious.

  What changed

  • Arcane Status now refuses to start if JWT_SECRET is missing.
  • Encryption and decryption failures now produce proper errors instead of silently failing.
  • SMTP credential issues are now much easier to diagnose.

  ---

  Reduced Risk of Email Address Discovery

  Some authentication flows responded differently depending on whether an email address existed in the system. This timing difference could potentially be used to discover valid accounts.

  What changed

  • Login responses now take a consistent amount of time whether the email exists or not.
  • Profile update errors no longer reveal whether another account is using a specific email address.

  ---

  SMTP Test Endpoint Restrictions

  The SMTP test feature previously allowed admins to send test emails to any address using the configured mail server.

  What changed

  • Test emails can now only be sent to the email address of the currently logged-in admin.
  • This keeps the feature focused on verifying mail configuration instead of acting like a mail relay.

  ---

  Summary

  This release focuses on:

  • Stronger security protections
  • Safer monitoring behavior
  • More reliable authentication handling
  • Clearer configuration errors

  Important: Administrators must ensure JWT_SECRET is configured before upgrading to this version.

  Downloads

  • Source code (ZIP)
    3 downloads
  • Source code (TAR.GZ)
    1 download

  ---

  • Arcane-Status-0.4.2.zip
    8 downloads · 2026-05-20 21:37:21 +00:00 · 168 KiB