glashjs 0.15.0 → 0.15.1

package/README.md

@@ -18,8 +18,9 @@ The create CLI asks for:
 - CSS setup: Tailwind, plain CSS, or none.
 - Postgres by default.
 - glashAuth route helpers.
-- SQL runner support.
+- SQL runner support through the local CLI.
 - AI deployment prompts.
+- Optional IP auto-translation.
 - Package manager and dependency install.
 
 For non-interactive use:
@@ -40,7 +41,6 @@ routes/
   api/auth/signup.mjs
   api/auth/me.mjs
   api/functions/contact.mjs
-  api/sql/run.mjs
 db/schema.sql
 .glash/prompts/deploy.md
 glash.config.mjs
@@ -56,7 +56,7 @@ glash.config.mjs
 - **API routes**: method exports such as `GET`, `POST`, `PUT`, and `DELETE`.
 - **Postgres by default**: `glashjs/postgres` reads `DATABASE_URL` and exposes `sql`, `query`, and transactions.
 - **glashAuth built in**: `glashjs/auth` calls the real GlashDB auth API under `/api/auth/v1/:projectId`.
-- **SQL runner support**: `glashjs sql db/schema.sql` runs checked-in SQL against `DATABASE_URL`.
+- **SQL runner support**: `glashjs sql db/schema.sql` runs checked-in SQL against `DATABASE_URL`; starters do not expose arbitrary SQL over HTTP.
 - **AI deployment prompts**: starters include `.glash/prompts/deploy.md` for agents and deployment review.
 - **Zero-config hosting**: `glashjs deploy` builds and hands off to the GlashDB deploy CLI.
 - **Automatic env management**: `.env`, `.env.local`, and mode-specific env files load automatically; hosted deploys use GlashDB project env vars.
@@ -66,7 +66,8 @@ glash.config.mjs
 
 ```bash
 glashjs create [name]          # scaffold a new Glash project
-glashjs dev [--port 3000]     # dev server with live reload and LAN URL
+glashjs dev [--port 3000]     # dev server with live reload, bound to localhost
+glashjs dev --host 0.0.0.0   # opt into LAN preview
 glashjs build                 # optimize assets, precompile routes, emit PWA/security manifests
 glashjs serve                 # serve the production build
 glashjs typegen               # generate typed route declarations
@@ -144,6 +145,7 @@ Required env:
 GLASHDB_API_URL="https://api.glashdb.com/api"
 GLASHDB_PROJECT_ID="..."
 GLASHDB_ANON_KEY="..."
+GLASH_SESSION_SECRET="at-least-32-random-characters"
 DATABASE_URL="postgresql://..."
 ```
 
@@ -181,10 +183,14 @@ export default defineConfig({
   offline: true,
   favicon: 'node_modules/glashjs/templates/glash_favicon.svg',
   animatedFavicon: false,
+  i18n: false,
   dataPrefixes: ['/api/', '/auth/', '/rest/', '/live', '/stream'],
 });
 ```
 
+`i18n` is opt-in because it calls third-party geolocation/translation services
+and relaxes CSP for the translation widget.
+
 ## Deploy
 
 ```bash
@@ -199,7 +205,7 @@ npm run deploy
 3. Optimizes public assets.
 4. Precompiles JSX routes and client bundles.
 5. Emits PWA, offline, security, and asset manifests.
-6. Hands off to the GlashDB CLI for upload, env sync, build logs, live URL, and hosting.
+6. Hands off to a local pinned GlashDB CLI when installed, otherwise a pinned fallback CLI package, for upload, env sync, build logs, live URL, and hosting.
 
 ## Asset Optimization
 

package/bin/glash.mjs

@@ -26,7 +26,7 @@ function flag(name) {
   return rest.includes(name);
 }
 
-function optionBool(disableFlag, fallback = true) {
+function optionBool(disableFlag, fallback) {
   return rest.includes(disableFlag) ? false : fallback;
 }
 
@@ -78,7 +78,8 @@ async function serve(dev) {
   const root = arg('--root', process.cwd());
   const { listen, cfg, routes } = await createGlashServer({ root, dev });
   const preferredPort = Number(arg('--port', cfg.port || 3000));
-  const port = await listenOnAvailablePort(listen, preferredPort);
+  const host = arg('--host', dev ? '127.0.0.1' : '0.0.0.0');
+  const port = await listenOnAvailablePort((p) => listen(p, host), preferredPort);
   const pages = routes.filter((r) => !r.isApi).length;
   const apis = routes.filter((r) => r.isApi).length;
   console.log('');
@@ -90,11 +91,19 @@ async function serve(dev) {
   routes.forEach((r) => console.log(`    ${r.isApi ? 'api ' : 'page'}  ${r.pattern}`));
   console.log('');
   console.log(`  ➜ Local:    http://localhost:${port}`);
-  for (const ip of lanAddresses()) console.log(`  ➜ Network:  http://${ip}:${port}   (preview on other devices)`);
+  if (isPublicHost(host)) {
+    for (const ip of lanAddresses()) console.log(`  ➜ Network:  http://${ip}:${port}   (preview on other devices)`);
+  } else {
+    console.log('  ➜ Network:  disabled (use --host 0.0.0.0 to expose on your LAN)');
+  }
   if (dev) console.log('\n  live reload on save · ctrl-c to stop');
   console.log('');
 }
 
+function isPublicHost(host) {
+  return host === '0.0.0.0' || host === '::' || host === '';
+}
+
 async function listenOnAvailablePort(listen, preferredPort) {
   for (let port = preferredPort; port < preferredPort + 20; port += 1) {
     try {
@@ -124,7 +133,7 @@ async function main() {
         auth: optionBool('--no-auth', undefined),
         sqlRunner: optionBool('--no-sql-runner', undefined),
         aiPrompts: optionBool('--no-ai-prompts', undefined),
-        translate: optionBool('--no-translate', undefined),
+        translate: flag('--translate') ? true : optionBool('--no-translate', undefined),
         animation: flag('--animation') ? true : undefined,
       });
       break;
@@ -185,8 +194,9 @@ async function main() {
 
 Usage: (run as "glashjs <cmd>"; "glash <cmd>" also works unless the glashdb deploy CLI owns that name)
   glashjs run dev               Alias for glashjs dev (also: glash run dev)
-  glashjs create [name]          Create a new Glash project (interactive)
-  glashjs dev [--port 3000]     Run the dev server (routing, SSR, API, live reload) + Network preview URL
+  glashjs create [name]          Create a new Glash project (interactive; --translate opts into i18n)
+  glashjs dev [--port 3000]     Run the dev server on localhost (routing, SSR, API, live reload)
+  glashjs dev --host 0.0.0.0   Opt into LAN preview from other devices
   glashjs serve [--port 3000]   Run the production server over routes/ + built assets
   glashjs build [--root <dir>]  Optimize assets, precompile routes, generate offline SW + PWA + security
   glashjs typegen               Generate typed route declarations from routes/

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "glashjs",
-  "version": "0.15.0",
+  "version": "0.15.1",
   "description": "glashjs — The Postgres-native full-stack framework for builders who want to ship without DevOps. Framework, hosting, database, auth, and deploy in one GlashDB-native runtime.",
   "type": "module",
   "bin": {

package/src/auth.mjs

@@ -4,6 +4,7 @@
 //   /api/auth/v1/:projectId/signup
 //   /api/auth/v1/:projectId/signin
 //   /api/auth/v1/:projectId/me
+import { createCipheriv, createDecipheriv, createHash, randomBytes } from 'node:crypto';
 
 export function glashAuth(options = {}) {
   const apiUrl = trimSlash(options.apiUrl ?? process.env.GLASHDB_API_URL ?? 'https://api.glashdb.com/api');
@@ -55,34 +56,47 @@ export function glashAuth(options = {}) {
   };
 }
 
-export function readSessionCookie(ctx, name = 'glash_session') {
+export function readSessionCookie(ctx, name = 'glash_session', options = {}) {
   const cookie = ctx?.headers?.cookie || ctx?.req?.headers?.cookie || '';
   const found = cookie.split(';').map((part) => part.trim()).find((part) => part.startsWith(`${name}=`));
   if (!found) return null;
-  try {
-    return JSON.parse(Buffer.from(decodeURIComponent(found.slice(name.length + 1)), 'base64url').toString('utf8'));
-  } catch {
-    return null;
-  }
+  return openSession(decodeURIComponent(found.slice(name.length + 1)), name, options);
 }
 
 export function sessionCookie(session, options = {}) {
   const name = options.name ?? 'glash_session';
   const maxAge = options.maxAge ?? 60 * 60 * 24 * 30;
-  const encoded = Buffer.from(JSON.stringify(session), 'utf8').toString('base64url');
+  const encoded = sealSession(session, name, options);
   const parts = [
     `${name}=${encodeURIComponent(encoded)}`,
     'Path=/',
     `Max-Age=${maxAge}`,
     'HttpOnly',
-    'SameSite=Lax',
+    `SameSite=${options.sameSite ?? 'Lax'}`,
   ];
   if (options.secure ?? process.env.NODE_ENV === 'production') parts.push('Secure');
   return parts.join('; ');
 }
 
-export function clearSessionCookie(name = 'glash_session') {
-  return `${name}=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax`;
+export function clearSessionCookie(name = 'glash_session', options = {}) {
+  const parts = [`${name}=`, 'Path=/', 'Max-Age=0', 'HttpOnly', `SameSite=${options.sameSite ?? 'Lax'}`];
+  if (options.secure ?? process.env.NODE_ENV === 'production') parts.push('Secure');
+  return parts.join('; ');
+}
+
+export function publicSession(session = {}) {
+  if (!session || typeof session !== 'object') return {};
+  const {
+    accessToken,
+    access_token,
+    refreshToken,
+    refresh_token,
+    token,
+    idToken,
+    id_token,
+    ...safe
+  } = session;
+  return safe;
 }
 
 async function readJson(res) {
@@ -94,3 +108,53 @@ async function readJson(res) {
 function trimSlash(value) {
   return String(value || '').replace(/\/+$/, '');
 }
+
+function sealSession(session, name, options) {
+  const secret = sessionSecret(options);
+  const iv = randomBytes(12);
+  const cipher = createCipheriv('aes-256-gcm', sessionKey(secret, name), iv);
+  const plaintext = Buffer.from(JSON.stringify(session ?? {}), 'utf8');
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return ['v1', b64(iv), b64(encrypted), b64(tag)].join('.');
+}
+
+function openSession(value, name, options) {
+  try {
+    if (!String(value || '').startsWith('v1.')) {
+      if (!options.allowUnsigned) return null;
+      return JSON.parse(Buffer.from(value, 'base64url').toString('utf8'));
+    }
+    const [, ivRaw, encryptedRaw, tagRaw] = String(value).split('.');
+    if (!ivRaw || !encryptedRaw || !tagRaw) return null;
+    const secret = sessionSecret(options);
+    const decipher = createDecipheriv('aes-256-gcm', sessionKey(secret, name), Buffer.from(ivRaw, 'base64url'));
+    decipher.setAuthTag(Buffer.from(tagRaw, 'base64url'));
+    const plain = Buffer.concat([
+      decipher.update(Buffer.from(encryptedRaw, 'base64url')),
+      decipher.final(),
+    ]);
+    return JSON.parse(plain.toString('utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function sessionSecret(options = {}) {
+  const secret = options.secret
+    ?? process.env.GLASH_SESSION_SECRET
+    ?? process.env.GLASHDB_SESSION_SECRET
+    ?? process.env.AUTH_SECRET;
+  if (!secret || String(secret).length < 32) {
+    throw new Error('GLASH_SESSION_SECRET must be set to at least 32 characters for glashAuth session cookies');
+  }
+  return String(secret);
+}
+
+function sessionKey(secret, name) {
+  return createHash('sha256').update(`glashjs:${name}:${secret}`).digest();
+}
+
+function b64(value) {
+  return Buffer.from(value).toString('base64url');
+}

package/src/config.mjs

@@ -32,7 +32,8 @@ export const DEFAULT_CONFIG = {
   // (/api/_glash/geo) automatically — no route or layout wiring per app.
   //   true | false | { auto?: boolean, geoEndpoint?: string }
   //   auto: translate immediately instead of prompting.
-  i18n: true,
+  // Disabled by default because it calls third-party translation/geolocation services.
+  i18n: false,
   // Requests under these prefixes are treated as live/updated data: network-first
   // in the Service Worker, so offline mode degrades exactly there (no stale live data).
   dataPrefixes: ['/api/', '/rest/', '/auth/', '/realtime', '/live', '/stream'],

package/src/create.mjs

@@ -42,7 +42,7 @@ async function collectAnswers(options, rl) {
   const auth = boolAnswer(options.auth, await ask(rl, 'Add glashAuth routes?', 'yes'));
   const sqlRunner = boolAnswer(options.sqlRunner, await ask(rl, 'Add SQL runner support?', 'yes'));
   const aiPrompts = boolAnswer(options.aiPrompts, await ask(rl, 'Add AI deployment prompts?', 'yes'));
-  const translate = boolAnswer(options.translate, await ask(rl, 'Add built-in IP auto-translation?', 'yes'));
+  const translate = boolAnswer(options.translate, await ask(rl, 'Add built-in IP auto-translation?', 'no'));
   const animation = boolAnswer(options.animation, await ask(rl, 'Add motion + 3D (motion, three.js)?', 'no'));
   const install = boolAnswer(options.install, await ask(rl, 'Install dependencies now?', 'yes'));
   const packageManager = normalizeChoice(options.packageManager || await ask(rl, 'Package manager (npm/pnpm/yarn/bun)', detectPackageManager()), PM_CHOICES, 'npm');
@@ -135,10 +135,8 @@ export default defineConfig({
   publicDir: 'public',
   outDir: '.glash/out',
   offline: true,
-  // Built-in IP auto-translation: detect the visitor's country and offer a
-  // one-tap in-place translation into their native language. The framework
-  // serves the runtime + geo endpoint and relaxes the CSP for the translate
-  // widget automatically — no route or layout wiring needed.
+  // Built-in IP auto-translation is opt-in because it calls third-party
+  // translation/geolocation services and relaxes CSP for that widget.
   i18n: ${answers.translate ? 'true' : 'false'},
   favicon: 'node_modules/glashjs/templates/glash_favicon.svg',
   animatedFavicon: false,
@@ -300,21 +298,21 @@ export const GET = () => json({
 function authRoutes() {
   return {
     'routes/api/auth/signup.mjs': `import { json } from 'glashjs';
-import { glashAuth, sessionCookie } from 'glashjs/auth';
+import { glashAuth, publicSession, sessionCookie } from 'glashjs/auth';
 
 export const POST = async (ctx) => {
   const auth = glashAuth();
   const session = await auth.signup(ctx.body);
-  return json(session, { headers: { 'set-cookie': sessionCookie(session) } });
+  return json({ ok: true, session: publicSession(session) }, { headers: { 'set-cookie': sessionCookie(session) } });
 };
 `,
     'routes/api/auth/signin.mjs': `import { json } from 'glashjs';
-import { glashAuth, sessionCookie } from 'glashjs/auth';
+import { glashAuth, publicSession, sessionCookie } from 'glashjs/auth';
 
 export const POST = async (ctx) => {
   const auth = glashAuth();
   const session = await auth.signin(ctx.body);
-  return json(session, { headers: { 'set-cookie': sessionCookie(session) } });
+  return json({ ok: true, session: publicSession(session) }, { headers: { 'set-cookie': sessionCookie(session) } });
 };
 `,
     'routes/api/auth/me.mjs': `import { json } from 'glashjs';
@@ -345,20 +343,6 @@ export const POST = serverFunction(async ({ email }) => {
   \`;
   return { message: \`Saved \${value} in Postgres.\` };
 });
-`,
-    'routes/api/sql/run.mjs': `import { json } from 'glashjs';
-import { query } from 'glashjs/postgres';
-
-export const POST = async (ctx) => {
-  const expected = process.env.GLASH_SQL_RUNNER_TOKEN;
-  const token = String(ctx.headers.authorization || '').replace(/^Bearer\\s+/i, '');
-  if (!expected || token !== expected) return json({ error: 'SQL runner token required' }, { status: 401 });
-  const statement = String(ctx.body?.statement || '');
-  const params = Array.isArray(ctx.body?.params) ? ctx.body.params : [];
-  if (!statement.trim()) return json({ error: 'statement is required' }, { status: 400 });
-  const result = await query(statement, params);
-  return json({ rowCount: result.rowCount, rows: result.rows });
-};
 `,
   };
 }
@@ -380,7 +364,7 @@ GLASHDB_PROJECT_ID=""
 DATABASE_URL="postgresql://user:password@localhost:5432/${answers.name}?sslmode=disable"
 DIRECT_URL=""
 GLASHDB_ANON_KEY=""
-GLASH_SQL_RUNNER_TOKEN="${randomToken()}"
+GLASH_SESSION_SECRET="replace-with-at-least-32-random-characters"
 `;
 }
 
@@ -391,7 +375,7 @@ GLASHDB_PROJECT_ID=""
 DATABASE_URL="postgresql://user:password@localhost:5432/${answers.name}?sslmode=disable"
 DIRECT_URL=""
 GLASHDB_ANON_KEY=""
-GLASH_SQL_RUNNER_TOKEN="${randomToken()}"
+GLASH_SESSION_SECRET="${randomToken()}.${randomToken()}"
 `;
 }
 
@@ -533,9 +517,9 @@ function tailwindInput() {
 function faviconSvg() {
   // Use the bundled glash mark (the official metallic glash favicon) so a new
   // app ships the real brand favicon, not a placeholder. Single source of truth:
-  // glashjs/templates/favicon.svg.
+  // glashjs/templates/glash_favicon.svg.
   try {
-    return readFileSync(fileURLToPath(new URL('../templates/favicon.svg', import.meta.url)), 'utf8');
+    return readFileSync(fileURLToPath(new URL('../templates/glash_favicon.svg', import.meta.url)), 'utf8');
   } catch {
     return `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 64 64">
   <rect width="64" height="64" rx="14" fill="#0a0a0a"/>

package/src/deploy.mjs

@@ -5,10 +5,12 @@
 // to the existing glashdb CLI (npm: `glashdb`) for upload/auth — no duplicated
 // deploy logic. The platform then runs `glash build` + `glash serve`.
 import { spawn } from 'node:child_process';
-import { promises as fs } from 'node:fs';
+import { promises as fs, existsSync } from 'node:fs';
 import path from 'node:path';
 import { build } from './build.mjs';
 
+const FALLBACK_GLASHDB_CLI = 'glashdb@0.2.35';
+
 /** Ensure the app declares the scripts the glashdb platform runs to build/serve it. */
 async function ensureDeployScripts(root, log) {
   const pkgPath = path.join(root, 'package.json');
@@ -35,8 +37,7 @@ export async function deploy({ root = process.cwd(), dryRun = false, args = [],
   await ensureDeployScripts(root, log);
 
   // 3. Hand off to the glashdb CLI (zips + uploads, handles login).
-  const cmd = 'npx';
-  const cmdArgs = ['-y', 'glashdb', 'deploy', ...args];
+  const { cmd, cmdArgs } = resolveGlashdbCli(root, args);
   log(`\nHanding off to the glashdb CLI:\n  $ ${cmd} ${cmdArgs.join(' ')}\n`);
   if (dryRun) {
     log('(dry run — build complete, not uploading)');
@@ -48,3 +49,10 @@ export async function deploy({ root = process.cwd(), dryRun = false, args = [],
     child.on('exit', (code) => (code === 0 ? resolve({ code }) : reject(new Error(`glashdb deploy exited with code ${code}`))));
   });
 }
+
+function resolveGlashdbCli(root, args) {
+  const bin = process.platform === 'win32' ? 'glashdb.cmd' : 'glashdb';
+  const local = path.join(root, 'node_modules', '.bin', bin);
+  if (existsSync(local)) return { cmd: local, cmdArgs: ['deploy', ...args] };
+  return { cmd: 'npx', cmdArgs: ['-y', FALLBACK_GLASHDB_CLI, 'deploy', ...args] };
+}

package/src/index.mjs

@@ -8,7 +8,7 @@ export { createProject } from './create.mjs';
 export { optimizeAssets } from './assets/optimize.mjs';
 export { generateAnimatedFavicon } from './assets/animated-favicon.mjs';
 export { generateServiceWorker } from './offline/generate-sw.mjs';
-export { securityHeaders, buildCsp, sri, glashSecurity } from './security/headers.mjs';
+export { securityHeaders, buildCsp, sri, glashSecurity, mergeSafeHeaders } from './security/headers.mjs';
 export { createGlashServer, json, redirect } from './server/server.mjs';
 export { serverFunction, callServerFunction } from './server-functions.mjs';
 export { discoverRoutes, matchRoute, findMiddleware } from './server/router.mjs';

package/src/offline/generate-sw.mjs

@@ -43,6 +43,19 @@ function isData(url) {
   return DATA_PREFIXES.some((p) => url.pathname.startsWith(p));
 }
 
+function cacheableRequest(request) {
+  if (request.headers.has('authorization')) return false;
+  if (request.cache === 'no-store') return false;
+  return true;
+}
+
+function cacheableResponse(response) {
+  if (!response || !response.ok) return false;
+  const cc = response.headers.get('cache-control') || '';
+  if (/\\b(no-store|private)\\b/i.test(cc)) return false;
+  return true;
+}
+
 self.addEventListener('fetch', (event) => {
   const { request } = event;
   if (request.method !== 'GET') return;
@@ -56,8 +69,6 @@ self.addEventListener('fetch', (event) => {
         const fresh = await fetch(request);
         return fresh;
       } catch {
-        const cached = await caches.match(request);
-        if (cached) return cached;
         return new Response(JSON.stringify({ offline: true, error: 'offline: live data unavailable' }), {
           status: 503, headers: { 'content-type': 'application/json', 'x-glash-offline': '1' },
         });
@@ -70,21 +81,30 @@ self.addEventListener('fetch', (event) => {
   if (request.mode === 'navigate') {
     event.respondWith((async () => {
       const cache = await caches.open(CACHE);
+      if (!cacheableRequest(request)) {
+        return fetch(request).catch(() => cache.match('/offline.html') || new Response('offline', { status: 503 }));
+      }
       const cached = await cache.match(request);
-      const network = fetch(request).then((res) => { cache.put(request, res.clone()); return res; }).catch(() => null);
-      return cached || (await network) || cache.match('/offline.html') || new Response('offline', { status: 503 });
+      const network = fetch(request).then((res) => {
+        if (cacheableResponse(res)) cache.put(request, res.clone());
+        return res;
+      }).catch(() => null);
+      return (await network) || cached || cache.match('/offline.html') || new Response('offline', { status: 503 });
     })());
     return;
   }
 
   // Hashed static assets: cache-first.
   event.respondWith((async () => {
+    if (!cacheableRequest(request)) return fetch(request);
     const cached = await caches.match(request);
     if (cached) return cached;
     try {
       const res = await fetch(request);
-      const cache = await caches.open(CACHE);
-      cache.put(request, res.clone());
+      if (cacheableResponse(res)) {
+        const cache = await caches.open(CACHE);
+        cache.put(request, res.clone());
+      }
       return res;
     } catch {
       return cached || new Response('offline', { status: 503 });
@@ -101,7 +121,7 @@ self.addEventListener('fetch', (event) => {
  */
 export async function generateServiceWorker(outDir, manifest, {
   cacheName,
-  appShell = ['/', '/index.html', '/offline.html', '/favicon.svg'],
+  appShell = ['/offline.html', '/favicon.svg'],
   dataPrefixes = DATA_PREFIXES,
 } = {}) {
   const version = manifest?.version || 'dev';

package/src/postgres.mjs

@@ -72,6 +72,12 @@ function templateToSql(strings, values) {
 
 function sslFor(connectionString) {
   if (/sslmode=disable/i.test(connectionString)) return false;
-  if (/localhost|127\.0\.0\.1|::1/.test(connectionString)) return false;
+  let hostname = '';
+  try {
+    hostname = new URL(connectionString).hostname.toLowerCase();
+  } catch {
+    return { rejectUnauthorized: true };
+  }
+  if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1' || hostname === '[::1]') return false;
   return { rejectUnauthorized: true };
 }

package/src/security/headers.mjs

@@ -25,6 +25,29 @@ const I18N_CSP = {
 };
 const merge = (base, extra) => [...new Set([...base, ...extra])];
 
+export const PROTECTED_SECURITY_HEADERS = new Set([
+  'content-security-policy',
+  'strict-transport-security',
+  'x-content-type-options',
+  'x-frame-options',
+  'referrer-policy',
+  'permissions-policy',
+  'cross-origin-opener-policy',
+  'cross-origin-resource-policy',
+  'cross-origin-embedder-policy',
+  'origin-agent-cluster',
+  'x-dns-prefetch-control',
+]);
+
+export function mergeSafeHeaders(base = {}, extra = {}) {
+  const out = { ...base };
+  for (const [key, value] of Object.entries(extra || {})) {
+    if (PROTECTED_SECURITY_HEADERS.has(String(key).toLowerCase())) continue;
+    out[key] = value;
+  }
+  return out;
+}
+
 export function buildCsp({
   connectSrc = ["'self'"],
   imgSrc = ["'self'", 'data:', 'blob:'],

package/src/server/nav-client.mjs

@@ -27,7 +27,17 @@ async function navigate(href, push, keepScroll) {
   root.innerHTML = data.html;
   if (push) history.pushState({ glash: 1 }, '', href);
   if (!keepScroll) window.scrollTo(0, 0);
-  if (data.bundle) { try { await import(data.bundle + '?v=' + Date.now()); } catch (e) {} }
+  var bundle = safeBundle(data.bundle);
+  if (bundle) { try { await import(bundle + '?v=' + Date.now()); } catch (e) {} }
+}
+
+function safeBundle(value) {
+  return /^\\/_glash\\/[a-f0-9]{10}\\.js$/i.test(String(value || '')) ? value : '';
+}
+
+function escapeCssIdent(value) {
+  if (window.CSS && typeof window.CSS.escape === 'function') return window.CSS.escape(value);
+  return String(value).replace(/["\\\\\\]\\[]/g, '\\\\$&');
 }
 
 document.addEventListener('click', function (e) {
@@ -65,7 +75,7 @@ window.__glashSoftRefresh = async function () {
   });
   window.scrollTo(sx, sy);
   if (focusName) {
-    var el = root.querySelector('[name="' + focusName + '"]');
+    var el = root.querySelector('[name="' + escapeCssIdent(focusName) + '"]');
     if (el) { el.focus(); try { el.selectionStart = selStart; el.selectionEnd = selEnd; } catch (e) {} }
   }
 };

package/src/server/server.mjs

@@ -6,7 +6,7 @@
 //                 service worker, favicons) with Brotli negotiation.
 // Every response carries the secure-by-default headers.
 import http from 'node:http';
-import { promises as fs, existsSync, statSync, watch, createReadStream, readFileSync } from 'node:fs';
+import { promises as fs, existsSync, watch, createReadStream, readFileSync } from 'node:fs';
 import { Transform } from 'node:stream';
 import { randomBytes } from 'node:crypto';
 import path from 'node:path';
@@ -16,7 +16,7 @@ import { discoverRoutes, matchRoute, findMiddleware } from './router.mjs';
 import { renderDocument, documentParts, renderMeta, escapeHtml } from './html.mjs';
 import { NAV_CLIENT } from './nav-client.mjs';
 import { isComponentRoute, loadComponentRoute, clientBundle, renderComponent, composeVNode, getPipeableRenderer, routeId, findLayouts, clearJsxCaches, compileModule } from './jsx.mjs';
-import { securityHeaders } from '../security/headers.mjs';
+import { mergeSafeHeaders, securityHeaders } from '../security/headers.mjs';
 import { loadConfig } from '../config.mjs';
 import { loadEnvFiles } from '../env.mjs';
 
@@ -28,6 +28,8 @@ const MIME = {
   '.woff2': 'font/woff2', '.txt': 'text/plain; charset=utf-8',
 };
 const mime = (file) => MIME[path.extname(file).toLowerCase()] || 'application/octet-stream';
+const UNSAFE_METHODS = new Set(['POST', 'PUT', 'PATCH', 'DELETE']);
+const JSON_BODY_LIMIT = 2_000_000;
 
 // The built-in i18n runtime served at /_glash/i18n.js. i18n.mjs is dependency-free
 // and valid browser ESM (its server-only exports are harmless in the browser), so
@@ -99,6 +101,9 @@ export async function createGlashServer({ root = process.cwd(), dev = false } =
         const js = await clientBundle(comp.file, findLayouts(routesDir, comp.file), dev);
         return send(res, 200, 'text/javascript; charset=utf-8', js, { ...secHeaders, 'cache-control': dev ? 'no-store' : 'public, max-age=31536000, immutable' });
       }
+      if (isCrossSiteUnsafeRequest(req, url)) {
+        return send(res, 403, 'application/json', JSON.stringify({ error: 'cross-site request blocked' }), secHeaders);
+      }
       const match = matchRoute(routes, pathname);
       if (!match) return await handleNotFound(res, routes, req, url, cfg, secHeaders, root, routesDir, dev);
       const ctx = makeCtx(req, res, url, match.params);
@@ -138,7 +143,7 @@ export async function createGlashServer({ root = process.cwd(), dev = false } =
     }
   });
 
-  const listen = (port = cfg.port || 3000, host = '0.0.0.0') =>
+  const listen = (port = cfg.port || 3000, host = dev ? '127.0.0.1' : '0.0.0.0') =>
     new Promise((resolve, reject) => {
       const onError = (error) => {
         server.off('listening', onListening);
@@ -158,26 +163,37 @@ export async function createGlashServer({ root = process.cwd(), dev = false } =
 
 async function handleApi(res, mod, req, ctx, secHeaders) {
   const method = req.method.toUpperCase();
+  const apiHeaders = { ...secHeaders, 'cache-control': 'no-store' };
   const handler = mod[method] || (method === 'GET' && mod.default) || mod.handler;
   if (typeof handler !== 'function') {
-    return send(res, 405, 'application/json', JSON.stringify({ error: 'method not allowed' }), secHeaders);
+    return send(res, 405, 'application/json', JSON.stringify({ error: 'method not allowed' }), apiHeaders);
+  }
+  if (UNSAFE_METHODS.has(method)) {
+    try {
+      ctx.body = await readJson(req);
+    } catch (error) {
+      if (error instanceof HttpError) {
+        return send(res, error.status, 'application/json', JSON.stringify({ error: error.message }), apiHeaders);
+      }
+      throw error;
+    }
   }
-  if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(method)) ctx.body = await readJson(req);
   const result = await handler(ctx);
   // Next-style route handlers return a Web `Response` (e.g. Response.json(...)).
   // Pass it through so migrated API routes work unchanged.
   if (typeof Response !== 'undefined' && result instanceof Response) {
-    const headers = { ...secHeaders };
-    result.headers.forEach((v, k) => { headers[k] = v; });
+    let responseHeaders = {};
+    result.headers.forEach((v, k) => { responseHeaders[k] = v; });
+    const headers = mergeSafeHeaders(apiHeaders, responseHeaders);
     const buf = Buffer.from(await result.arrayBuffer());
     res.writeHead(result.status || 200, headers);
     return res.end(buf);
   }
   if (result && result.__response) {
     return send(res, result.status || 200, result.contentType || 'application/json',
-      typeof result.body === 'string' ? result.body : JSON.stringify(result.body), { ...secHeaders, ...(result.headers || {}) });
+      typeof result.body === 'string' ? result.body : JSON.stringify(result.body), mergeSafeHeaders(apiHeaders, result.headers));
   }
-  send(res, 200, 'application/json', JSON.stringify(result ?? null), secHeaders);
+  send(res, 200, 'application/json', JSON.stringify(result ?? null), apiHeaders);
 }
 
 async function handlePage(res, mod, ctx, cfg, secHeaders, dev) {
@@ -196,7 +212,8 @@ async function handlePage(res, mod, ctx, cfg, secHeaders, dev) {
     i18n: cfg.i18n,
     nonce, dev,
   });
-  send(res, page.status || 200, 'text/html; charset=utf-8', docHtml, { ...pageHeaders(cfg, secHeaders, nonce), ...(page.headers || {}) });
+  send(res, page.status || 200, 'text/html; charset=utf-8', docHtml,
+    mergeSafeHeaders({ ...pageHeaders(cfg, secHeaders, nonce), ...dynamicCacheHeaders(ctx) }, page.headers));
 }
 
 async function handleComponentPage(res, route, ctx, cfg, secHeaders, root, routesDir, dev) {
@@ -211,7 +228,8 @@ async function handleComponentPage(res, route, ctx, cfg, secHeaders, root, route
   // so <Link> can swap #glash-root and re-hydrate without a full reload.
   if (String(ctx.headers['x-glash-nav'] || '') === '1') {
     const rendered = await renderComponent(mod, props);
-    return send(res, 200, 'application/json', JSON.stringify({ title, html: rendered, props, bundle: `/_glash/${id}.js` }), secHeaders);
+    return send(res, 200, 'application/json', JSON.stringify({ title, html: rendered, props, bundle: `/_glash/${id}.js` }),
+      { ...secHeaders, ...dynamicCacheHeaders(ctx), 'cache-control': 'no-store' });
   }
 
   const nonce = randomBytes(16).toString('base64');
@@ -222,7 +240,7 @@ async function handleComponentPage(res, route, ctx, cfg, secHeaders, root, route
     title, head, offline: cfg.offline, animatedFavicon: !!cfg.animatedFavicon, i18n: cfg.i18n, nonce, dev,
   });
   const bundleTag = `</div><script type="module" src="/_glash/${id}.js"></script>`;
-  res.writeHead(200, { ...pageHeaders(cfg, secHeaders, nonce), 'content-type': 'text/html; charset=utf-8' });
+  res.writeHead(200, { ...pageHeaders(cfg, secHeaders, nonce), ...dynamicCacheHeaders(ctx), 'content-type': 'text/html; charset=utf-8' });
   res.write(open + '<div id="glash-root">'); // flush the shell before rendering
 
   // True Suspense streaming: render the boundary's fallback into the shell now,
@@ -280,22 +298,26 @@ function safeJson(value) {
 async function serveStatic(res, outDir, pathname, req, secHeaders) {
   if (pathname === '/') return false; // let the index page route render
   const rel = pathname.replace(/^\/+/, '');
-  const file = path.join(outDir, rel);
-  if (!file.startsWith(outDir + path.sep)) return false; // path traversal guard
+  const root = await fs.realpath(outDir).catch(() => null);
+  if (!root) return false;
+  const file = path.resolve(root, rel);
+  if (!isInsideRoot(file, root)) return false; // path traversal guard
   const head = req.method === 'HEAD';
   const range = req.headers.range;
   const ae = String(req.headers['accept-encoding'] || '');
 
   // Brotli precompressed sibling — only when the client isn't asking for a byte range.
-  if (!range && ae.includes('br') && existsSync(file + '.br')) {
-    const buf = await fs.readFile(file + '.br');
+  const br = !range && ae.includes('br') ? await staticFile(file + '.br', root) : null;
+  if (br) {
+    const buf = await fs.readFile(br.file);
     res.writeHead(200, { ...secHeaders, 'content-type': mime(file), 'content-encoding': 'br', vary: 'Accept-Encoding', 'cache-control': 'public, max-age=31536000, immutable' });
     res.end(head ? undefined : buf);
     return true;
   }
-  if (!(existsSync(file) && statSync(file).isFile())) return false;
+  const safe = await staticFile(file, root);
+  if (!safe) return false;
 
-  const stat = statSync(file);
+  const { stat } = safe;
   const ct = mime(file);
   // Range requests (video/audio seeking) -> 206 Partial Content.
   if (range) {
@@ -309,13 +331,13 @@ async function serveStatic(res, outDir, pathname, req, secHeaders) {
     }
     res.writeHead(206, { ...secHeaders, 'content-type': ct, 'accept-ranges': 'bytes', 'content-range': `bytes ${start}-${end}/${stat.size}`, 'content-length': end - start + 1, 'cache-control': 'public, max-age=3600' });
     if (head) { res.end(); return true; }
-    createReadStream(file, { start, end }).pipe(res);
+    createReadStream(safe.file, { start, end }).pipe(res);
     return true;
   }
   // Full file — streamed (handles large assets without buffering them in memory).
   res.writeHead(200, { ...secHeaders, 'content-type': ct, 'accept-ranges': 'bytes', 'content-length': stat.size, 'cache-control': 'public, max-age=3600' });
   if (head) { res.end(); return true; }
-  createReadStream(file).pipe(res);
+  createReadStream(safe.file).pipe(res);
   return true;
 }
 
@@ -392,11 +414,41 @@ function makeCtx(req, res, url, params) {
 }
 
 function readJson(req) {
-  return new Promise((resolve) => {
-    let data = '';
-    req.on('data', (c) => { data += c; if (data.length > 2_000_000) req.destroy(); });
-    req.on('end', () => { try { resolve(data ? JSON.parse(data) : {}); } catch { resolve({}); } });
-    req.on('error', () => resolve({}));
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let size = 0;
+    let done = false;
+    const fail = (error) => {
+      if (done) return;
+      done = true;
+      reject(error);
+    };
+    req.on('data', (chunk) => {
+      if (done) return;
+      size += chunk.length;
+      if (size > JSON_BODY_LIMIT) {
+        fail(new HttpError(413, `request body exceeds ${JSON_BODY_LIMIT} bytes`));
+        req.destroy();
+        return;
+      }
+      chunks.push(chunk);
+    });
+    req.on('end', () => {
+      if (done) return;
+      done = true;
+      const raw = Buffer.concat(chunks).toString('utf8');
+      if (!raw) return resolve({});
+      if (!isJsonContentType(req.headers['content-type'])) {
+        reject(new HttpError(415, 'content-type must be application/json'));
+        return;
+      }
+      try {
+        resolve(JSON.parse(raw));
+      } catch {
+        reject(new HttpError(400, 'malformed JSON body'));
+      }
+    });
+    req.on('error', () => fail(new HttpError(400, 'request body could not be read')));
   });
 }
 
@@ -426,9 +478,56 @@ function sendMiddlewareResult(res, result, secHeaders) {
   }
   if (result.__response) {
     return send(res, result.status || 200, result.contentType || 'application/json',
-      typeof result.body === 'string' ? result.body : JSON.stringify(result.body), { ...secHeaders, ...(result.headers || {}) });
+      typeof result.body === 'string' ? result.body : JSON.stringify(result.body), mergeSafeHeaders(secHeaders, result.headers));
   }
   // A bare object/string from middleware is treated as a JSON/text body.
   if (typeof result === 'string') return send(res, 200, 'text/plain; charset=utf-8', result, secHeaders);
   return send(res, 200, 'application/json', JSON.stringify(result), secHeaders);
 }
+
+class HttpError extends Error {
+  constructor(status, message) {
+    super(message);
+    this.status = status;
+  }
+}
+
+async function staticFile(candidate, root) {
+  const lst = await fs.lstat(candidate).catch(() => null);
+  if (!lst || !lst.isFile()) return null;
+  const real = await fs.realpath(candidate).catch(() => null);
+  if (!real || !isInsideRoot(real, root)) return null;
+  const stat = await fs.stat(real).catch(() => null);
+  if (!stat || !stat.isFile()) return null;
+  return { file: real, stat };
+}
+
+function isInsideRoot(file, root) {
+  const relative = path.relative(root, file);
+  return relative && !relative.startsWith('..') && !path.isAbsolute(relative);
+}
+
+function isJsonContentType(value = '') {
+  return /(^|;|\s)(application\/json|[^;\s]+\/[^;\s+]+\+json)(;|\s|$)/i.test(String(value));
+}
+
+function isCrossSiteUnsafeRequest(req, url) {
+  if (!UNSAFE_METHODS.has(String(req.method || '').toUpperCase())) return false;
+  if (!req.headers.cookie) return false;
+  const site = String(req.headers['sec-fetch-site'] || '').toLowerCase();
+  if (site === 'cross-site') return true;
+  if (site === 'same-origin' || site === 'same-site' || site === 'none') return false;
+  const source = req.headers.origin || req.headers.referer;
+  if (!source) return false;
+  try {
+    return new URL(source).host !== url.host;
+  } catch {
+    return true;
+  }
+}
+
+function dynamicCacheHeaders(ctx) {
+  return ctx?.headers?.cookie || ctx?.headers?.authorization
+    ? { 'cache-control': 'private, no-store' }
+    : {};
+}