You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -393,6 +394,125 @@ All analytics endpoints require authentication with `admin` or `analytics:read`
393
394
</Col>
394
395
</Row>
395
396
397
+
### Event Tracking API <spanclassName="px-2 py-0.5 text-xs font-bold bg-emerald-100 dark:bg-emerald-900/30 text-emerald-700 dark:text-emerald-300 rounded">NEW in v2.16.0</span>
398
+
399
+
The `/api/events` endpoint provides a public HTTP API for tracking events from client-side code, external services, or any HTTP client. No authentication required for tracking; admin auth required for querying.
Copy file name to clipboardExpand all lines: www/src/app/security/page.mdx
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,7 +47,8 @@ SonicJS enforces role-based permissions across all routes:
47
47
### CSRF Protection
48
48
- Signed double-submit cookie pattern on all state-changing endpoints
49
49
- Automatic token generation and validation
50
-
- Exempt: public read-only API endpoints
50
+
- Exempt: safe methods (GET, HEAD, OPTIONS), auth routes, public form submissions, event tracking API, Stripe webhooks, and search API
51
+
- Requests with `Authorization` header (Bearer token or API key) bypass CSRF — CSRF only applies to cookie-authenticated sessions
51
52
52
53
### CORS Configuration
53
54
- Cross-origin requests restricted to explicitly allowed origins via `CORS_ORIGINS` environment variable
@@ -106,7 +107,7 @@ SonicJS includes a built-in **Security Audit Plugin** that provides security eve
106
107
107
108
### How Lockouts Work
108
109
109
-
When brute-force detection is enabled, the plugin uses Cloudflare KV for fast lockout state:
110
+
When brute-force detection is enabled, the plugin uses Cloudflare KV for fast lockout state. If the `CACHE_KV` binding is not available, the brute-force detector gracefully degrades — all KV-dependent methods return safe defaults instead of crashing:
110
111
111
112
1. Each failed login increments counters for the IP and email address
112
113
2. When an IP exceeds the threshold, it is locked and receives `429 Too Many Requests` on subsequent login attempts
@@ -139,6 +140,7 @@ All security audit data is available via authenticated admin API endpoints:
139
140
140
141
| Version | Date | Changes |
141
142
|---------|------|---------|
143
+
| v2.16.0 | Apr 2026 | BruteForceDetector KV resilience, CSRF exempt path expansion, Authorization header bypass for API clients |
142
144
| v2.9.0 | Apr 2026 | RBAC enforcement on all admin routes |
143
145
| v2.8.3 | Mar 2026 | SQL injection fix, XSS fixes (reflected + stored), PBKDF2 hashing, CSRF protection, rate limiting, CORS restrictions, security headers, JWT secret to env var |
144
146
| v2.8.2 | Mar 2026 | Public form XSS sanitization, content API access restrictions |
0 commit comments