What's New?
• TTL-aware magic links: Replaced permanent community login links (from Account Dashboard) with short-lived links to prevent unauthorized access.
• Session Expiry: Users can now choose to invalidate all active sessions across devices during any password change or reset.
Fixes:
• User enumeration prevention: Standardised error responses across Login, Forgot Password, and OTP flows to prevent attackers from verifying if an email exists in our system.
• Users V1 update API: Added XSS payload sanitisation and limiting updates to an approved list of fields to prevent unintended modifications.
Next Steps:
• Enforcing Strong Password Policy: Backend enforcement is next. It is already rolled out partially, with the UI enforcing the new policy on all apps.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article