shell-mirror 1.5.50 → 1.5.52

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "shell-mirror",
-  "version": "1.5.50",
+  "version": "1.5.52",
   "description": "Access your Mac shell from any device securely. Perfect for mobile coding with Claude Code CLI, Gemini CLI, and any shell tool.",
   "main": "server.js",
   "bin": {

package/public/app/.htaccess

@@ -0,0 +1,15 @@
+# Disable directory browsing
+Options -Indexes
+
+# Require authentication for sensitive app files
+<RequireAll>
+    Require valid-user
+</RequireAll>
+
+# Security headers
+<IfModule mod_headers.c>
+    Header always set X-Content-Type-Options nosniff
+    Header always set X-Frame-Options SAMEORIGIN
+    Header always set X-XSS-Protection "1; mode=block"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+</IfModule>

package/public/php-backend/.htaccess

@@ -0,0 +1,15 @@
+# Disable directory browsing
+Options -Indexes
+
+# Prevent access to sensitive files
+<FilesMatch "\.(log|txt|bak|sql|ini|conf)$">
+    Order deny,allow
+    Deny from all
+</FilesMatch>
+
+# Security headers
+<IfModule mod_headers.c>
+    Header always set X-Content-Type-Options nosniff
+    Header always set X-Frame-Options DENY
+    Header always set X-XSS-Protection "1; mode=block"
+</IfModule>

package/server.js

@@ -28,11 +28,17 @@ const server = http.createServer(app);
 const wss = new WebSocket.Server({ server });
 
 // --- Session Management ---
+const sessionLifetime = isProduction ? (30 * 24 * 60 * 60 * 1000) : (7 * 24 * 60 * 60 * 1000); // 30 days production, 7 days development
 const sessionParser = session({
   secret: process.env.SESSION_SECRET,
   resave: false,
   saveUninitialized: false,
-  cookie: { secure: process.env.NODE_ENV === 'production' }
+  cookie: { 
+    secure: isProduction,
+    maxAge: sessionLifetime,
+    httpOnly: true,
+    sameSite: 'lax'
+  }
 });
 app.use(sessionParser);
 app.use(passport.initialize());