securenow 5.8.1 → 5.10.0

package/cli/auth.js

@@ -10,7 +10,7 @@ function openBrowser(url) {
   try {
     const platform = process.platform;
     if (platform === 'darwin') execFileSync('open', [url], { stdio: 'ignore' });
-    else if (platform === 'win32') execFileSync('cmd', ['/c', 'start', '', url], { stdio: 'ignore' });
+    else if (platform === 'win32') execFileSync('rundll32', ['url.dll,FileProtocolHandler', url], { stdio: 'ignore' });
     else execFileSync('xdg-open', [url], { stdio: 'ignore' });
     return true;
   } catch {

package/cli/config.js

@@ -32,6 +32,12 @@ function loadJSON(filepath) {
 function saveJSON(filepath, data) {
   ensureDir();
   fs.writeFileSync(filepath, JSON.stringify(data, null, 2), { encoding: 'utf8', mode: 0o600 });
+  if (process.platform === 'win32') {
+    try {
+      const { execFileSync } = require('child_process');
+      execFileSync('icacls', [filepath, '/inheritance:r', '/grant:r', `${process.env.USERNAME}:F`], { stdio: 'ignore' });
+    } catch (_) {}
+  }
 }
 
 function loadConfig() {

package/console-instrumentation.js

@@ -36,6 +36,12 @@ if (!logger) {
   return;
 }
 
+if (console.__securenow_patched) {
+  console.warn('[securenow] Console already instrumented by tracing.js — skipping to avoid duplicate logs.');
+  module.exports = {};
+  return;
+}
+
 // Store original console methods
 const originalConsole = {
   log: console.log,

package/free-trial-banner.js

@@ -107,7 +107,8 @@ function patchHttpForBanner() {
       if (res._snIsHtml === undefined) {
         var ct = res.getHeader('content-type');
         var ce = res.getHeader('content-encoding');
-        res._snIsHtml = !!(ct && String(ct).includes('text/html') && !ce);
+        var csp = res.getHeader('content-security-policy');
+        res._snIsHtml = !!(ct && String(ct).includes('text/html') && !ce && !csp);
       }
       if (!res._snIsHtml) {
         res._snBannerDone = true;
@@ -136,6 +137,11 @@ function patchHttpForBanner() {
         if (modified !== chunk) {
           var enc = typeof encoding === 'function' ? 'utf8' : encoding;
           var callback = typeof encoding === 'function' ? encoding : cb;
+          try {
+            if (this.getHeader('content-length')) {
+              this.setHeader('content-length', Buffer.byteLength(modified));
+            }
+          } catch (_) { /* headers already sent */ }
           return _origWrite.call(this, modified, enc, callback);
         }
       } catch (_) { /* never break the app */ }

package/nextjs-auto-capture.js

@@ -33,7 +33,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
@@ -139,7 +139,6 @@ function patchNextRequest() {
   
   const originalText = Request.prototype.text;
   const originalJson = Request.prototype.json;
-  const originalFormData = Request.prototype.formData;
   
   // Patch text() to cache result
   Request.prototype.text = async function() {
@@ -171,13 +170,6 @@ function patchNextRequest() {
     return JSON.parse(text);
   };
   
-  // Patch formData() to cache and capture  
-  Request.prototype.formData = async function() {
-    const text = await this.text();
-    const params = new URLSearchParams(text);
-    return params;
-  };
-  
   console.log('[securenow] ✅ Auto-capture: Patched Next.js Request for automatic body capture');
 }
 

package/nextjs-middleware.js

@@ -27,12 +27,16 @@ const DEFAULT_SENSITIVE_FIELDS = [
 /**
  * Redact sensitive fields from an object
  */
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   if (!obj || typeof obj !== 'object') return obj;
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
@@ -54,9 +58,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   let redacted = query;
   
   sensitiveFields.forEach(field => {
+    const escaped = escapeRegex(field);
     const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     
     patterns.forEach(pattern => {

package/nextjs-wrapper.js

@@ -32,7 +32,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {

package/nextjs.js

@@ -68,10 +68,9 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
-    // Check if field is sensitive
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
       redacted[key] = '[REDACTED]';
     } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
@@ -83,6 +82,10 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
 
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 /**
  * Redact sensitive data from GraphQL query strings
  */
@@ -94,10 +97,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   // Redact sensitive fields in GraphQL arguments and variables
   // Matches patterns like: password: "value" or password:"value" or password:'value'
   sensitiveFields.forEach(field => {
-    // Match field: "value" or field: 'value' or field:"value" (with optional spaces)
+    const escaped = escapeRegex(field);
     const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     
     patterns.forEach(pattern => {
@@ -114,115 +117,6 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
 
-/**
- * Parse and capture request body safely
- */
-async function captureRequestBody(request, maxSize = 10240) {
-  try {
-    const contentType = request.headers['content-type'] || '';
-    let body = '';
-    
-    // Collect body chunks
-    const chunks = [];
-    let size = 0;
-    
-    return new Promise((resolve) => {
-      request.on('data', (chunk) => {
-        size += chunk.length;
-        if (size <= maxSize) {
-          chunks.push(chunk);
-        }
-      });
-      
-      request.on('end', () => {
-        if (size > maxSize) {
-          resolve({ 
-            captured: false, 
-            reason: `Body too large (${size} bytes > ${maxSize} bytes)`,
-            size 
-          });
-          return;
-        }
-        
-        body = Buffer.concat(chunks).toString('utf8');
-        
-        // Parse based on content type
-        if (contentType.includes('application/json')) {
-          try {
-            const parsed = JSON.parse(body);
-            resolve({ 
-              captured: true, 
-              type: 'json', 
-              body: parsed,
-              size 
-            });
-          } catch (e) {
-            resolve({ 
-              captured: true, 
-              type: 'json', 
-              body: body.substring(0, 1000),
-              parseError: true,
-              size 
-            });
-          }
-        } else if (contentType.includes('application/graphql')) {
-          // GraphQL queries need redaction too!
-          resolve({ 
-            captured: true, 
-            type: 'graphql', 
-            body: body,  // Will be redacted later
-            size 
-          });
-        } else if (contentType.includes('multipart/form-data')) {
-          // Multipart is NOT captured (files can be huge)
-          resolve({ 
-            captured: false, 
-            type: 'multipart', 
-            reason: 'Multipart data not captured (file uploads)',
-            size 
-          });
-        } else if (contentType.includes('application/x-www-form-urlencoded')) {
-          try {
-            const params = new URLSearchParams(body);
-            const parsed = Object.fromEntries(params);
-            resolve({ 
-              captured: true, 
-              type: 'form', 
-              body: parsed,
-              size 
-            });
-          } catch (e) {
-            resolve({ 
-              captured: true, 
-              type: 'form', 
-              body: body.substring(0, 1000),
-              size 
-            });
-          }
-        } else {
-          resolve({ 
-            captured: true, 
-            type: 'text', 
-            body: body.substring(0, 1000),
-            size 
-          });
-        }
-      });
-      
-      request.on('error', () => {
-        resolve({ captured: false, reason: 'Stream error' });
-      });
-      
-      // Timeout after 100ms
-      setTimeout(() => {
-        resolve({ captured: false, reason: 'Timeout' });
-      }, 100);
-    });
-  } catch (error) {
-    return { captured: false, reason: error.message };
-  }
-}
-
 /**
  * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
  * @param {Object} options - Optional configuration
@@ -281,10 +175,9 @@ function registerSecureNow(options = {}) {
     const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
     const logsUrl = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
 
-    // Set environment variables for @vercel/otel to pick up
-    process.env.OTEL_SERVICE_NAME = serviceName;
-    process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
-    process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
+    if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
+    if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
+    if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
 
     console.log('[securenow] 🚀 Next.js App → service.name=%s', serviceName);
 
@@ -292,7 +185,7 @@ function registerSecureNow(options = {}) {
     const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || 
                        String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true' ||
                        options.captureBody === true;
-    const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
+    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
     const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
@@ -326,14 +219,19 @@ function registerSecureNow(options = {}) {
           const clientIp = headers['x-client-ip'];
           const socketIp = request.socket?.remoteAddress;
           
-          // Primary IP (first in chain is the real client)
-          const primaryIp = 
-            (forwardedFor ? forwardedFor.split(',')[0]?.trim() : null) ||
-            realIp ||
-            cfConnectingIp ||
-            clientIp ||
-            socketIp ||
-            'unknown';
+          const PRIVATE_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
+          const isProxied = socketIp && PRIVATE_RE.test(socketIp);
+          let primaryIp = socketIp || 'unknown';
+          if (isProxied) {
+            if (forwardedFor) {
+              const chain = forwardedFor.split(',').map(s => s.trim()).filter(Boolean);
+              for (let i = chain.length - 1; i >= 0; i--) {
+                if (!PRIVATE_RE.test(chain[i])) { primaryIp = chain[i]; break; }
+              }
+            } else {
+              primaryIp = realIp || cfConnectingIp || clientIp || primaryIp;
+            }
+          }
           
           // ======== PROTOCOL & CONNECTION ========
           const scheme = headers['x-forwarded-proto'] || 
@@ -588,10 +486,9 @@ function registerSecureNow(options = {}) {
                 const start = Date.now();
                 const method = req.method;
                 const url = req.url;
-                const reqCtx = otelContext.active();
-                const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
-
                 res.on('finish', () => {
+                  const reqCtx = otelContext.active();
+                  const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
                   const duration = Date.now() - start;
                   const status = res.statusCode;
                   const ip = req.headers['x-forwarded-for'] || req.headers['x-real-ip'] || req.socket?.remoteAddress || '-';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.8.1",
+  "version": "5.10.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js

@@ -53,6 +53,10 @@ const DEFAULT_SENSITIVE_FIELDS = [
   'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
 ];
 
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 /**
  * Redact sensitive fields from an object
  */
@@ -61,7 +65,7 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
@@ -84,10 +88,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   // Redact sensitive fields in GraphQL arguments and variables
   sensitiveFields.forEach(field => {
-    // Match patterns: field: "value" or field: 'value' or field:"value"
+    const escaped = escapeRegex(field);
     const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     
     patterns.forEach(pattern => {
@@ -118,7 +122,7 @@ function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFiel
   const boundary = extractBoundary(contentType);
   if (!boundary) { onComplete({ error: 'BOUNDARY_NOT_FOUND' }); return; }
 
-  const result = { fields: {}, files: [] };
+  const result = { fields: Object.create(null), files: [] };
   let totalSize = 0;
   let buf = Buffer.alloc(0);
 
@@ -139,7 +143,7 @@ function collectMultipartMeta(request, contentType, sensitiveFields, maxTextFiel
   let textVal = '';
 
   function flushPart() {
-    if (!fldName) return;
+    if (!fldName || fldName === '__proto__' || fldName === 'constructor' || fldName === 'prototype') return;
     if (isFile) {
       result.files.push({ field: fldName, filename: fName, contentType: pCT || 'unknown', size: bodyBytes });
     } else {
@@ -316,7 +320,7 @@ for (const n of (env('SECURENOW_DISABLE_INSTRUMENTATIONS') || '').split(',').map
 
 // -------- Body Capture Configuration --------
 const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true';
-const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
+const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
 const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
 const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
@@ -328,7 +332,7 @@ const captureMultipart = String(env('SECURENOW_CAPTURE_MULTIPART')) === '1' || S
 // This prevents end-users from spoofing their IP via custom headers.
 const os = require('os');
 const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
-const PRIVATE_IP_RE = /^(127\.|::1|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|fc|fd)/;
+const PRIVATE_IP_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
 const trustedProxyCsv = (env('SECURENOW_TRUSTED_PROXIES') || '').trim();
 const trustedProxySet = trustedProxyCsv ? new Set(trustedProxyCsv.split(',').map(s => s.trim()).filter(Boolean)) : null;
 
@@ -366,7 +370,7 @@ function resolveClientIp(request) {
     for (let i = chain.length - 1; i >= 0; i--) {
       if (!isFromTrustedProxy(chain[i])) return chain[i];
     }
-    return chain[0] || socketIp;
+    return socketIp;
   }
   const headerIp = request.headers['x-real-ip'];
   if (headerIp) return headerIp;
@@ -390,12 +394,12 @@ const httpInstrumentation = new HttpInstrumentation({
         span.setAttribute('http.client_ip', clientIp);
       }
 
-      if (captureBody && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
+      if ((captureBody || captureMultipart) && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
         const contentType = request.headers['content-type'] || '';
         
-        if (contentType.includes('application/json') || 
+        if (captureBody && (contentType.includes('application/json') || 
             contentType.includes('application/graphql') ||
-            contentType.includes('application/x-www-form-urlencoded')) {
+            contentType.includes('application/x-www-form-urlencoded'))) {
           
           let body = '';
           const chunks = [];
@@ -443,9 +447,9 @@ const httpInstrumentation = new HttpInstrumentation({
                   });
                 }
               } catch (e) {
-                // Parse error: capture as-is (truncated)
-                span.setAttribute('http.request.body', body.substring(0, 1000));
+                span.setAttribute('http.request.body', '[UNPARSEABLE - REDACTED FOR SAFETY]');
                 span.setAttribute('http.request.body.parse_error', true);
+                span.setAttribute('http.request.body.size', size);
               }
             } else if (size > maxBodySize) {
               span.setAttribute('http.request.body', `[TOO LARGE: ${size} bytes]`);
@@ -541,6 +545,7 @@ if (loggingEnabled) {
   console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
   console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
   console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
+  console.__securenow_patched = true;
 }
 
 // -------- SDK --------

package/web-vite.mjs

@@ -55,27 +55,36 @@ const baseName = rawBase || null;
 const noUuid = String(env('SECURENOW_NO_UUID')) === '1' || String(env('SECURENOW_NO_UUID')).toLowerCase() === 'true';
 const strict = String(env('SECURENOW_STRICT')) === '1' || String(env('SECURENOW_STRICT')).toLowerCase() === 'true';
 
-// Simple UUID v4 (no crypto dependency needed)
 function uuidv4(): string {
-  const rnd = (n = 16) => Array.from({ length: n }, () => Math.floor(Math.random() * 16).toString(16)).join('');
-  return `${rnd(8)}-${rnd(4)}-4${rnd(3)}-${((8 + Math.random()*4)|0).toString(16)}${rnd(3)}-${rnd(12)}`;
+  if (typeof crypto !== 'undefined' && crypto.randomUUID) {
+    return crypto.randomUUID();
+  }
+  const bytes = new Uint8Array(16);
+  if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+    crypto.getRandomValues(bytes);
+  } else {
+    for (let i = 0; i < 16; i++) bytes[i] = Math.floor(Math.random() * 256);
+  }
+  bytes[6] = (bytes[6] & 0x0f) | 0x40;
+  bytes[8] = (bytes[8] & 0x3f) | 0x80;
+  const hex = Array.from(bytes, b => b.toString(16).padStart(2, '0')).join('');
+  return `${hex.slice(0,8)}-${hex.slice(8,12)}-${hex.slice(12,16)}-${hex.slice(16,20)}-${hex.slice(20)}`;
 }
 
 let serviceName: string;
+let disabled = false;
 if (baseName) {
   serviceName = noUuid ? baseName : `${baseName}-${uuidv4()}`;
 } else {
   if (strict) {
     console.error('[securenow/web-vite] FATAL: SECURENOW_APPID/OTEL_SERVICE_NAME missing and SECURENOW_STRICT=1. Tracing disabled.');
-    // Do not start tracing
     // @ts-expect-error
     window.__SECURENOW_DISABLED__ = true;
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const _noop = true;
-    // early return by throwing a no-op error caught below:
-    throw new Error('__SECURENOW_NO_START__');
+    disabled = true;
+    serviceName = 'disabled';
+  } else {
+    serviceName = `securenow-free-${uuidv4()}`;
   }
-  serviceName = `securenow-free-${uuidv4()}`;
 }
 
 const instancePrefix = baseName || 'securenow';
@@ -99,7 +108,7 @@ try {
 let started = false;
 
 export function startSecurenowWeb() {
-  if (started) return;
+  if (started || disabled) return;
   started = true;
 
   const exporter = new OTLPTraceExporter({
@@ -124,20 +133,21 @@ export function startSecurenowWeb() {
       new DocumentLoadInstrumentation(),
       new UserInteractionInstrumentation(),
       new FetchInstrumentation({
-        propagateTraceHeaderCorsUrls: [/.*/],
+        propagateTraceHeaderCorsUrls: [new RegExp(`^${location.origin.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}`)],
         ignoreUrls: [/\/vite\/hmr/, /^chrome-extension:\/\//, /sockjs/],
       }),
       new XMLHttpRequestInstrumentation({
-        propagateTraceHeaderCorsUrls: [/.*/],
+        propagateTraceHeaderCorsUrls: [new RegExp(`^${location.origin.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}`)],
       }),
     ],
   });
 
   // Optional smoke span (same flag name)
   if (String(env('SECURENOW_TEST_SPAN')) === '1') {
-    const api = await import('@opentelemetry/api');
-    const tracer = api.trace.getTracer('securenow-smoke');
-    const span = tracer.startSpan('securenow.startup.smoke.web'); span.end();
+    import('@opentelemetry/api').then(api => {
+      const tracer = api.trace.getTracer('securenow-smoke');
+      const span = tracer.startSpan('securenow.startup.smoke.web'); span.end();
+    }).catch(() => {});
   }
 
   // eslint-disable-next-line no-console
@@ -223,9 +233,7 @@ try {
   startSecurenowWeb();
   injectFreeTrialBanner();
 } catch (e: any) {
-  if (String(e?.message) !== '__SECURENOW_NO_START__') {
-    console.error('[securenow/web-vite] failed to start:', e);
-  }
+  console.error('[securenow/web-vite] failed to start:', e);
 }
 
 export default startSecurenowWeb;