From 9bc25a3dc27cd85469c0b174cf34c0a9f5cc59b0 Mon Sep 17 00:00:00 2001
From: Zimeng Xiong <zxzimeng@gmail.com>
Date: Sun, 23 Nov 2025 07:39:35 -0800
Subject: [PATCH] update README, release notes

---
 README.md  |  4 ++--
 RELEASE.md | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)
 create mode 100644 RELEASE.md

diff --git a/README.md b/README.md
index 3f94003..21db19c 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 <img src="logoExcaliDash.png" alt="ExcaliDash Logo" width="80" height="88">
 
-# ExcaliDash v0.1.0
+# ExcaliDash v0.1.3
 
 ![License](https://img.shields.io/github/license/zimengxiong/ExcaliDash)
 [![Docker](https://img.shields.io/badge/docker-ready-blue.svg)](https://hub.docker.com)
@@ -74,7 +74,7 @@ See [release notes](https://github.com/ZimengXiong/ExcaliDash/releases) for a sp
 # Installation
 
 > [!CAUTION]
-> NOT for production use. This is just a side project (and also the first release), and it likely contains some bugs. DO NOT open ports to the internet (e.g. CORS is set to allow all)
+> NOT for production use. While attempts have been made at hardening (XSS/dompurify, CORS, rate-limiting, sanitization) have been made, they are inadequate for public deployment. Do not expose any ports. Currently lacking CSRF.
 
 ## Docker Hub (Recommended)
 
diff --git a/RELEASE.md b/RELEASE.md
new file mode 100644
index 0000000..9d1d4c0
--- /dev/null
+++ b/RELEASE.md
@@ -0,0 +1,34 @@
+# ExcaliDash v0.1.3
+
+**Type:** Security Release  
+**Date:** 2025-11-23  
+**Compatibility:** v0.1.0 (Backward Compatible)
+
+## Security Fixes
+
+**Input Sanitization & XSS Prevention**
+
+- Implemented basic sanitization using `dompurify` and `jsdom`. All drawing data, text inputs, and SVG content are now stripped of non-geometric elements and malicious attributes before persistence. URL validation now explicitly blocks `javascript:`, `data:`, and `vbscript:` schemes.
+
+**Network & Headers**
+
+- Enforced Content Security Policy (CSP) with strict source restrictions. Added standard hardening headers: `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, and strict Referrer Policy. Rate limiting added (1,000 req/15min).
+  **Validation Logic**
+
+- Adopted `zod` schemas for strict runtime type checking on all API inputs. Requests exceeding length limits or failing schema validation are rejected prior to processing.
+
+## Infra
+
+**Docker Architecture**
+
+- Containers now execute as a non-root user (uid 1001) to minimize privilege escalation risks. Refactored into a multi-stage build to reduce image size and enforce proper file ownership/permissions on startup.
+
+**Async Operations & Database**
+
+- Moved blocking file I/O and SQLite integrity checks to worker threads (`src/workers/db-verify.js`) to prevent event loop stalling. Switched to `better-sqlite3`. Database imports now trigger automatic backups and validate SQLite file headers before execution.
+
+## Developer & Migration Notes
+
+- **New Env Var**: `FRONTEND_URL` must be defined for CORS (e.g., `http://localhost:6767`).
+- **Testing**: Added `npm run security-test` suite covering XSS payloads, SVG boundaries, and upload limits.
+- **Migration**: No database schema changes. Existing volumes are compatible; the container will automatically fix permissions on startup.