Two hardening fixes from a fresh security pass of the live code: - SESSION_COOKIE_SECURE=True: the session cookie set only HTTPONLY + SAMESITE=Lax, so it could be sent over plaintext HTTP. App is served behind nginx TLS, so no functional downside. - _nginx_ban: validate the IP with ipaddress.ip_address() before interpolating it into the nginx deny file. A malformed value could otherwise inject nginx directives at the last write before reload. Guard sits at the sink, covering all current and future callers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Description
LLM Team UI - Full-stack local AI orchestration platform
Languages
Python
97.4%
Shell
2.6%