-
Mahmoud Aglan authored
- Replace wildcard CORS (Access-Control-Allow-Origin: *) with domain whitelist across all 37 API files via shared includes/cors.php - friends.php: sanitize PostgREST filter inputs (strip special chars from search) - friends.php: validate UUID format for profile ID lookups - friends.php: verify user is invite target before accept/decline (domino, ludo, chess) - config/constants.php: read secrets from .env file or env vars (no more hardcoded keys) - Add .env to .gitignore Fixes WTF #5-6, #9-11 Co-Authored-By:Claude Opus 4.6 <noreply@anthropic.com>
03447d76