Summary

Security fixes

• Fix path traversal in Masqr.js via Host header — validate with allowlist regex, use URL.searchParams.set() for encoding
• Fix Masqr auth bypass — authcheck cookie is now signed (requires COOKIE_SECRET env var); falls back to unsigned for non-Masqr deployments
• Add httpOnly, secure, and sameSite flags to all Masqr cookies
• Redact license key from server logs (was logged verbatim on every check)
• Move cookieParser before route handlers so Masqr actually gates /e/* requests

Bug fixes

• Fix headers-already-sent crash in asset proxy error handler
• Fix mime.getType() returning null for unknown extensions (now falls back to application/octet-stream)
• Fix __dirname using process.cwd() instead of import.meta.url
• Fix MasqFail() calls not being awaited

Reliability

• Cap in-memory asset cache at CACHE_MAX_ENTRIES (default 1000, env-configurable) to prevent OOM under adversarial traffic
• Fix CORS for bare-server routes — headers now set directly on the raw http.Server handler instead of dead Express middleware

Credentials

• Remove hardcoded default password from config.js — credentials now read from BASIC_AUTH_USERS env var (user:pass CSV)
• Passwords no longer logged to stdout at startup (only usernames)

Error pages

• Add static/500.html — 500 error handler was incorrectly serving 404.html
• Replace Failed.html nginx placeholder with a proper license-validation-failed page

Notes

• Masqr remains opt-in via MASQR=true env var; the import and setup block stay commented out
• COOKIE_SECRET env var is required at startup when MASQR=true