| Feature | Summary |
| FormUpload CpScript | FormUpload now supports a bulk upload mode. When isBulkUpload is set to true, the upload button opens a popup window where users can select multiple files. On submit, all uploaded files are compressed into a single .zip file and the path is stored in the form field. |
| Script Generator > Script > Share Module Search | This feature extends the ShareModuleSearchButton CpScript. It allows console admins to create a custom version of the share button that can process data to a module when clicked.
|
| Security > API Information Disclosure Hardening | The window.cpsys JavaScript object rendered on every page has been hardened to prevent information disclosure on public-facing pages. Previously, all pages - including anonymous/public pages - received the full API endpoint map, a JWT bearer token, and user metadata (name, email, user ID) in the page source. A third-party security scanner flagged this as an API blueprint leak on a client site.
Changes:- The API endpoint map (
window.cpsys.Api.Endpoints) and user metadata (window.cpsys.User) are now only rendered for authenticated users. Anonymous/public pages no longer expose this information. - The JWT bearer token is now delivered via an HttpOnly session cookie (
cp-api-session) instead of being embedded in the page source. The token is invisible to JavaScript, page source viewing, and security scanners. - The API middleware now accepts authentication from either the
Authorization: Bearer header or the cp-api-session HttpOnly cookie. - All platform JavaScript (AI Page Assistant, AI Summarization, CpApiManager, Uber error handling) has been updated with hardcoded endpoint path fallbacks so they continue to work without the endpoint map on public pages.
- The token refresh handler now also updates the HttpOnly cookie when refreshing a token.
Breaking change warning: If you have custom JavaScript (entered via Console scripting, CpScript, or custom .aspx pages) that references cpsys.Api.Endpoints.* to look up API paths, this will return undefined on public/anonymous pages after this update.
Solutions:- Hardcode the endpoint path directly (e.g., replace
cpsys.Api.Endpoints.AI.SummarizeText with '/ai/summarize/text'). The paths are stable and documented in the API documentation. - Use
cpApiManager methods with hardcoded paths - cpApiManager.post('/ai/summarize/text', data) works the same way. - On authenticated pages (Console, logged-in member areas),
cpsys.Api.Endpoints continues to work as before.
Similarly, if custom JavaScript reads cpsys.Api.Token to construct manual Authorization: Bearer headers, this will be undefined on production pages. Solution: Use cpApiManager.post(endpoint, data) or cpApiManager.get(endpoint) which handle authentication automatically via cookies.
|
| Centralpoint CLI | A new command-line tool centralpoint.exe is now included in the Centralpoint root directory for all sites. The CLI is primarily used for installation and server setup, including database creation, IIS configuration, and prerequisite checks. It is designed as a foundation for future enhancements such as diagnostics, migration utilities, and debugging tools. |
| Master > Sync Methods > Web.Config Security Hardening | A new sync method SetSecurityDefaults (v8.12.2) has been added to harden web.config security settings across Master and all client sites. It applies the following to Root web.configs:requestValidationMode="4.5" on the httpRuntime element - enables lazy request validation (forced on, upgrades legacy 2.0 values)enableVersionHeader="false" on the httpRuntime element - suppresses the X-AspNet-Version HTTP response header- Removes the
X-Powered-By response header - Adds
X-Content-Type-Options: nosniff response header - prevents MIME-type sniffing attacks - Adds
X-Frame-Options: SAMEORIGIN response header (only if not already set) - prevents clickjacking
Console web.configs receive only the httpRuntime settings (requestValidationMode, enableVersionHeader). The response header settings are inherited from the parent Root web.config via IIS configuration inheritance.
The sync method supports load-balanced configurations and backs up web.configs before making changes.
|
| Master > Deployment > Web Sites | - Always On option: A new Always On field has been added to the web site creation form. When set to Yes, the new site's IIS application pool is configured with
AlwaysRunning start mode, preload enabled, and idle timeout disabled. This eliminates cold-start delays by keeping the worker process alive and warm at all times. The option defaults to No, and it is recommended to enable it for only one production site per server to avoid unnecessary memory consumption. - Domain URL rewrite on deployment: New optional Old Domain and New Domain fields allow automatic domain replacement during site creation. When provided, all URLs in the site's database content are rewritten from the old domain to the new domain, including content in data records, audiences, and relation tables. This is useful when deploying a site backup from one server to another with a different domain. The rewrite supports a 45-minute SQL timeout and 1-hour request timeout to handle large databases.
- Automatic cleanup after site creation: A full site cleanup now runs automatically after every site creation, including file system permissions, orphaned file cleanup, and other maintenance tasks. This eliminates the need to manually run Master > Admin > Utilities > Clean Up after deploying a site.
|