Following our Q4 external security audit, v0.9.4 addresses all identified findings and ships an improved permissions system for teams.
Security Updates
- Audit finding remediations — All medium and high-priority findings from the Q4 external audit resolved in this release.
- Session token hardening — Idle sessions now expire after a configurable timeout with a grace-period re-authentication prompt.
- Webhook signature verification — All outbound webhooks now include HMAC signatures for verification by receiving services.
- Rate limiting improvements — Tighter rate limits on authentication and public booking endpoints.
Staff Permissions Updates
- New View Only role for staff who need read access but not edit permissions.
- Invoice access can now be restricted per role — useful for field staff who should not see billing details.
- Audit log for all admin-level actions, accessible from Business Settings.
Performance
- Scheduler loads 30% faster on accounts with over 500 historical appointments.
- GPS route rendering improved on older mobile devices.