TTL-aware magic links: Replaced permanent community login links (from Agency Dashboard) with short-lived links to prevent unauthorized access.
Session Expiry: Users can now choose to invalidate all active sessions across devices during any password change or reset.
Fixes:
User enumeration prevention: Standardised error responses across Login, Forgot Password, and OTP flows to prevent attackers from verifying if an email exists in our system.
Users V1 update API: Added XSS payload sanitisation and limiting updates to an approved list of fields to prevent unintended modifications.
Next Steps:
Enforcing Strong Password Policy: Backend enforcement is next. It is already rolled out partially, with the UI enforcing the new policy on all apps.