Week in review
This week we hardened the API surface, improved security headers, and completed a full production audit to ensure everything shipped in v1.0 meets our quality bar.Updates
-
API spec updated to v0.9.1 — Four additional utility endpoints are now documented: auth callback, sign-out, health check, and the interactive Swagger UI. Error responses from plan-gated routes now include
currentPlan and requiredPlan fields so you can programmatically detect when an upgrade is needed. Learn more
-
Security headers on API endpoints — The API documentation endpoint now returns
X-Content-Type-Options: nosniff to prevent MIME-type sniffing. The health endpoint includes a Cache-Control header. The auth callback validates redirect targets to prevent CRLF injection. Learn more
-
Richer error responses — Payment receipt and move-out report endpoints now return structured error responses on failure instead of generic errors, making it easier to handle edge cases in your integrations. Learn more
Bug fixes
-
Fixed a cross-site scripting vulnerability on the pricing page where content was rendered unsafely. The page now uses safe text rendering throughout.
-
Resolved eight code quality issues across the platform identified during the production audit, including stricter variable declarations and safer rendering patterns.
Last modified on April 16, 2026