March Updates
Posted by Ash Qin
on 01 April 2025, 12:17:32 am
This month, we published two separate security advisories detailing significant vulnerabilities,
alongside a broader range of security enhancements like improved password hashing and session management.
Table of Contents
TL;DR
We've overhauled critical security layers, squashed some rather entertaining (and occasionally catastrophic) bugs
and banished a chunk of old, creaky code to the digital abyss.
Along the way,
we revamped everything from password hashing to character encoding
and somehow still found time to tinker with a very peculiar ring-speed limit.
Security Reinforcements
Two Major Security Disclosures
-
Exposed API Key & SQL Injection
- Coyote Enthusiast's report helped us discover that a hidden API key was exposed.
We also found widespread use of
addslashes() ℹ️,
a deprecated method
that offered inadequate protection against SQL injection ℹ️.
We replaced everything with modern, secure alternatives like prepared statements
(PDO) ℹ️,
removed the exposed key, and hardened queries.
- Alpha-Fox Security Disclosure Report 2025.03.08
-
Ring-Speed Crash Exploit
- Tornado Siren discovered that entering ring speeds near zero caused scripts to crash due to division-by-zero errors.
We now restrict values to 30-300, a range tested to prevent that issue and infinite loops.
- Alpha-Fox Security Disclosure Report 2025.03.21
Password Hashing
We have replaced our password hashing system,
removing the last vestiges of the legacy forum code running our website login system.
But what is hashing?
Imagine your password is the key to your digital house.
You would not leave that key under the doormat for anyone to grab, right?
Websites feel the same way; they do not store your actual password.
Instead, they keep a unique "fingerprint" of it, called a hash.
Think of this hash as a super-scrambled code that represents your password.
When you log in, the site scrambles the password you type in and compares it to the stored hash.
If they match, you are in!
This clever process means that even if someone has a look at the stored hash,
they cannot quickly work out your password.
What Exactly Is a "Hashing Method"?
A hashing method (or hashing algorithm) is like the "recipe" or "blueprint"
that explains how your password gets scrambled into its unique fingerprint.
Each hashing method has a specific way of mixing up letters, numbers
and symbols into a jumbled mess of characters, and only the correct one will work in the lock:
- MD5 ℹ️ and SHA1 ℹ️
(older methods) are a bit like a basic puzzle that might have been tough to solve 20 years ago.
But computers today can unscramble them pretty quickly, making these older "recipes" easier for attackers to crack.
- More modern methods such as Bcrypt ℹ️ or Argon2 ℹ️ increase the difficulty.
They're designed so that even superfast computers must spend much time and effort trying to unscramble them.
This makes them far more secure.
Just like a more complex recipe can take longer to cook,
a more burdensome hashing method is more time-consuming for an attacker to crack,
which drastically improves your password's safety.
Choosing the Hashing Method
In the PHP ℹ️ world,
which Alpha-Fox uses,
the password_hash() ℹ️ function is like a master locksmith:
it automatically picks the best available hashing method
(via PASSWORD_DEFAULT ℹ️)
so you don't have to worry about which specific method is strongest.
Right now, that's usually something like Bcrypt or Argon2,
but as soon as a better "lock" becomes standard, PASSWORD_DEFAULT will switch to that.
This future-proofing ensures your passwords remain protected without forcing us to rewrite the code for each new change.
Verifying the Password
When you attempt to unlock the safe, Alpha-Fox uses another function in PHP,
password_verify('your_password', $storedHash) ℹ️
check whether your typed-in password (scrambled the same way) matches the stored hash.
If they match, welcome home!
Quietly Upgrading Old Locks
What happens to passwords hashed using older methods?
That's where password_needs_rehash()
ℹ️ comes in,
imagine having a locksmith regularly check your lock every time you enter:
- When a user logs in, the system verifies their password using
password_verify().
- The system then asks
password_needs_rehash() if the lock (hash) is still good.
If it's an older, weaker lock,
or if we decide to make the lock more robust (increase the "cost" or the complexity),
password_needs_rehash() notices.
- Because the user is logging in with the actual password,
the system can apply a more potent "recipe" (like Bcrypt or Argon2) to create a new hash.
It replaces the old hash silently, strengthening your security behind the scenes.
The result?
Every time you log in, Alpha-Fox locks and double-checks the password with the latest and best security methods,
ensuring those digital "house keys" stay protected.
Sessions
We have rebuilt our session management also to replace the last parts of the legacy forum code,
which previously handled it.
But what exactly are sessions?
Think of sessions like VIP wristbands;
they give backstage access to your account without asking for your password at every turn.
Underneath the bonnet,
our system is built on PHP's session ℹ️ functionality,
with a few custom tweaks to make it even more intelligent.
A Look Behind the Curtain (PHP's Magic)
When you visit,
PHP sets a cookie ℹ️ in your browser.
This session cookie carries a random, unique ID, like an invisible wristband.
Then, once you log in, the server creates a matching record keyed to that same ID,
storing all the details needed to recognise you.
This record contains all the necessary data to track your session, like your user ID and login status.
Each page you visit sends the session cookie back to the server, which looks up your saved session data
and says, "Yes, this is you!".
This simple response means you do not have to repeatedly prove your identity.
Session Fixation Attack Prevention
What if a bad actor tries to slip you a "cloned" VIP wristband, one they already know,
so that when you log in, they can effectively piggyback on your session afterwards?
That's called a "session fixation attack"
ℹ️.
One of our custom tweaks is that we prevent this by automatically changing
(or "rotating") your session ID whenever you log in.
It's like the bouncer ripping off any old wristband and slapping on a fresh one as soon as you enter.
This rotation of sessions ensures
that any session ID an attacker might have guessed or shared with you becomes useless the moment
you successfully authenticate.
The second you log in, you get a brand-new, random session ID,
making it nearly impossible for someone else to hijack your session mid-stream.
Manage Sessions
Want to see where you are logged in?
Hop over to the new Manage Sessions section under My Account.
You'll see all current sessions that belong to you,
from your work laptop to your phone to that tablet you used last month.
If a session seems suspicious (for instance, a login from a city or country you haven't visited)
in that case,
you can "zap" it to instantly log that device out.
This feature is beneficial if:
- You forgot to log out from a public or shared computer.
- You notice an unusual login from a place you have never been.
- You just want to do a quick security check and keep track of your active logins.
The Remember Me Factor
By default, your VIP pass (the session) is set to last seven days or until you close your browser,
whichever comes first.
After that, you will need to log in again to refresh it.
But if you select Remember Me at the login, we'll give you an extra perk;
If you return before your seven-day session expires,
your session will automatically reset for another seven days.
It's like tapping the bouncer on the shoulder and saying,
"Hey, I'm still here; extend my pass!" without lifting a finger.
This helps ensure you can keep accessing your account with minimal fuss,
all while using secure, time-based tokens under the hood.
Enhancing Security with Best Practices
For a more technical look at how Alpha-Fox follows modern security best practices for session management,
you can explore the OWASP Session Management Cheat Sheet,
which outlines the standards we align with.
Stronger Passwords
Remember how your password is the key to your digital house we discussed earlier?
Leaving a short or weak password is like sticking that key under the doormat, an open invitation for anyone to walk in.
Hackers launch brute-force attacks ℹ️
that systematically try every possible combination,
and with powerful modern hardware, they can spin that "combination lock" thousands (even millions) of times each second.
If they manage to swipe a database of hashed passwords (think of them as hundreds or thousands of combination locks),
They can try their brute-forcing in secret, away from any security alerts.
Short,
predictable passwords are like old-fashioned combination locks that were fine years ago
but are now laughably easy to pick if you have the right tools.
Attackers can run these weak hashes through specialised software at blistering speeds until they crack them.
Worse still, if your password shows up in other data breaches ℹ️,
like having the same, well-known combination for multiple locks,
an attacker immediately has the skeleton key to your other accounts, too.
Longer passwords, on the other hand, are more advanced.
They're a far tougher nut to crack
because adding more characters drastically increases the number of possible combinations.
When an attacker cycles through enough guesses to crack a 12+ character password,
it will take ages,
making the task nearly impossible when you use modern hashing methods under the hood.
An excellent way to make a strong and memorable password is the XKCD method,
which stitches together random, unrelated words, like "correct horse battery staple".
The overall length and randomness make it a much more complex recipe to break.
However, it is still surprisingly easy to recall.
That's far more secure than a short mishmash of symbols and numbers you will forget within a week.
Original comic page
Our new login system wraps these insights into two significant upgrades:
- We now require at least 12 characters,
ensuring brute-force attempts (even if someone snags the hashed database) become prohibitively time-consuming.
- Each time you log in, we check whether your password has appeared in known breaches
without ever storing it in plain text ourselves.
If it appears on any list, the system stops you from logging in until resetting it.
That way, even if someone tries to open your "safe"
with a known stolen combination, they'll be turned away at the door.
Password Managers
Managing many unique passwords can be overwhelming;
Password managers simplify this by generating, storing and auto-filling secure passwords across devices.
They encrypt your data behind a master password, which is the crucial "key" that must be diligently protected.
However, the initial setup might seem intimidating,
and securing your password to use your manager is critical,
as anyone accessing it could compromise all your stored passwords.
Combining XKCD with Password Managers
The XKCD method ("correct horse battery staple") can seamlessly integrate into password managers,
combining strength with memorability.
Password managers such as KeePassXC or Bitwarden support Diceware ℹ️ passphrase generation,
which randomly selects words (often using dice rolls, hence the name "Diceware") to create secure,
human-friendly passwords.
Legacy Forum Code: Gone
Implementing the new login and session systems eliminated the last part of the legacy forum system
that was deeply integrated with the website.
Removing it took one commit; 99 files were deleted, and 20,470 lines dropped.
The legacy forum code was somewhat unmaintainable for a small team like ours ℹ️,
and removing it has drastically improved our ability to maintain Alpha-Fox.
Much like disposing of replicator nanites,
We eliminated that potential threat where you are never sure you have defeated them if they exist.
Detecting Real Second Life Simulators
We added extra checks and logging to confirm incoming requests into the ASN are legitimately from simulators,
not some cunning Wraith infiltration.
UTF-8 Encoding Adventures
Because Stargate addresses shouldn't resemble Goa'uld hieroglyphics!
We migrated our database from Latin-1 (ASCII) to UTF-8 text encoding.
ℹ️
Introduction: Latin-1 vs. UTF-8
Before diving in, let us set the stage.
Think of Latin-1 like a tiny, old-fashioned suitcase; it's built to carry only your necessities,
letters A to Z, some punctuation and a few accented characters.
This is great
if you are travelling within Western Europe, but not so wonderful if you want to pack items from all over the world.
Now, picture UTF-8 as an expandable suitcase with infinite pockets.
Not only can it hold all your basic letters, but it can also fit emojis, non-Latin scripts and countless other symbols.
It unzips a new compartment whenever you need more space for another writing system!
The Parsers That Could not (Initially)
Eris Ravenwood first spotted an odd issue; a few Stargates failed to register.
It was like trying to plug in a foreign adapter without the right converter;
everything looks fine until you flip the switch, and the power will not flow.
Our internal server-side parsers, used for reading text fields like parcel titles, had been built with Latin-1 in mind.
When we switched to UTF-8, these parsers did not know what to do with UTF-8 characters, so they'd spit out an error.
Think of it like an assembly line designed to handle one shape of biscuit dough;
the moment a new shape arrives, the line jams.
We fixed the parsers which allowed the Stargates to propagate happily again.
The Stargate Dialling Glitch
Paul Hexem encountered the mysterious Stargate Dialling Glitch,
where specific addresses would not dial.
It was like trying to call a friend whose phone number included symbols your phone keypad had never heard of.
You dial, and halfway through, it starts beeping angrily at you.
Digging deeper,
we discovered a crucial piece of code using regular expressions
(regex) ℹ️
to detect word boundaries.
Imagine regex like a fishing net carefully sized for single-byte "fish".
When we threw in multibyte UTF-8 "fish", the net got all tangled.
Characters like "é" in UTF-8 (0xc3 0xa9) were interpreted as separate "café" → "café".
Our old regex engine was not ready for that kind of catch.
Why Not Just Upgrade?
Modern regex libraries can handle UTF-8,
but looking at where it was used,
it did not seem like this was the best architectural choice for this particular instance.
Instead, we realised we only needed a bucket and a simple scooper (metaphorically speaking);
We rewrote the lookup code to avoid using regex altogether.
This approach also dodged a potential security hole.
With the old regex engine, an attacker might've squeezed malicious patterns into the system;
imagine sneaking in a crypto miner ℹ️
that runs "like a hamster on a wheel" within the regex parser.
Sure, it would be limited, eventually time out, and would be funny, but it would not be worth the annoyance.
Stargate System Updates & Bug Squashing
Iris/Shield Stabilization
athenasgrace13 and Vala Avro noticed some Stargates lost their shield (iris) settings.
After further investigation, I determined this happens on script restarts or rollbacks ℹ️.
I captured the state of these changes on the server.
When a gate reregisters with the server,
the server double-checks a gate's shield type upon reregistration and corrects discrepancies.
If you already use this feature, set your iris type again so the server stores it.
Race Condition Dialling
athenasgrace13 and Vala Avro informed me that dialling busy gates sometimes triggered disconnections.
I tracked this down to a particular race condition ℹ️.
Now, your subspace connections will hold!
Gate Shutdown API
Per Vala Avro's suggestion, users can now terminate outgoing connections they opened via the API.
If it is your Stargate, you have always been able to shut it down regardless, and that will continue.
Restored "/stargate memory" Command
A merge conflict accidentally jettisoned this command into subspace.
It's back, so quickly check or store ephemeral gate memory on the fly.
Region Name Detection & Updates
Tornado Siren noticed that the gates did not seemingly grasp when the region name changed.
I have added region change support to keep gate information correct whenever your simulator changes its name.
"Bury" Unreachable Gates
Based on feedback from Tornado Siren, if you delete a gate that cannot be reached,
the network will immediately treat the gate as deleted unless it checks in later.
If it does, it's resurrected automatically with a clear status message.
No more indefinite dial confusion caused by ghost gates.
Matching Region & Gate Names
Shadoskill Heckroth requested the ability to have a Stargate name identical to its region name,
which makes sense for aesthetic reasons.
This was done initially to prevent confusion, as region names always supersede gate names when dialling,
which can lead to confusion.
Now, you can set a gate to the same region name.
Region names still supersede gate names for dialling, but at least your name can match.
The gate alias has similarly been updated to follow this convention.
Infrastructure Changes
Database Migration
The database server was moved off the application server ℹ️,
into its own dedicated server ℹ️.
Daily Backup Tweaks
Backups no longer lock the database for so long that some gates fail their report-ins
and disappear off the network for a short five-minute window every day.
We set the backup process to the lowest I/O ℹ️ and process priority ℹ️
which resolved this.
API Refinements
Nearby API Upgraded
It now correctly calculates distance using the region's actual position (not just the region corner).
API 1.1 & 1.0 Harmonized
API 1.1 inadvertently used different parameters from 1.0
and somehow forgot to ensure they matched when initially implementing it.
They're now matched up perfectly.
Search Endpoint
I added a search endpoint mirroring "info"
but returning more than a single result; it is a galaxy-wide search if you will.
HTTP Status Codes for Errors
Errors like "no results found" or "bad parameters"
now come with proper HTTP status codes ℹ️.
Less guesswork, more clarity.
Name2Key & Key2Name Overhaul
Rewrote name2key and key2name APIs
to have better caching,
now using name-to-agent API for name2key,
meanwhile, key2name is rewritten to use resident profiles,
like https://world.secondlife.com/resident/0f15391e-105f-4b05-91e3-48b73c60ae64
to resolve the username,
which is now more reliable than in-world objects for our external system.
Appropriate caching has also been implemented for requests.
While we still maintain these APIs publicly for older in-world objects,
the best practice now is to rely on official in-world and external APIs from Second Life for this functionality.
API 1.1 Docs & Missing Info Corrected
Some documentation strings and instructions were incomplete; they are now updated.
No more confusion about endpoints or parameters.
Website & CMS Overhauls
Strict Transport Security
I have recently made an important update to our website to boost your security while you browse.
This update involves something called Strict-Transport-Security ℹ️,
or HSTS for short.
Don't worry if that sounds technical,
it's just a way to ensure that your web browser always connects to our site using a secure connection,
known as HTTPS.
You may have noticed the lock icon in your browser next to our website's address.
That's HTTPS at work, keeping your connection safe and encrypted so no one can snoop on your actions.
Once you visit our site, your browser will "remember"
to use this secure HTTPS connection for the next month, refreshed with each visit.
I have set this security feature as a trial run for one month.
Why?
I want to ensure everything works as expected and this change does not cause any unexpected hiccups.
If all goes well, I might extend it later.
This setup also helps
protect you from sneaky attacks that could trick your browser into using an insecure connection instead.
Our legacy APIs still use HTTP, an older, less secure connection.
These APIs are not pages you visit directly in your browser, so they do not affect your browsing experience or security.
As API systems do not respect or check HSTS, they will be unaffected by this change.
Login Box Quirk
A hilarious bug overlapped some login boxes, but only for some users.
We hammered it out.
If only all cosmic anomalies were so easy.
Thanks, Tornado Siren, for identifying this issue!
Profiles
Until recently, we had three different profile systems for users
- Forum profile
- Alteran Stargate Network profile
- Users Stargate's list profile
There was a lot of overlap,
so I scrapped them
and built a new profile system
that unifies all their functionalities into one without relying on the last remnants of the legacy forum system.
From XHTML to HTML5
While rewriting the template handling system so we didn't need to depend on the legacy forum code any more,
I also decided
to convert the site from XHTML to HTML5 ℹ️.
In the early-to-mid-2000s, many websites, including Alpha-Fox's, were built using XHTML,
a stricter flavour of HTML grounded in XML. And yes, even as I type this,
my modern code editor wags its virtual finger and "helpfully" tries to autocorrect XHTML to HTML,
apparently deciding the 'X' stands for 'extra letter we don't need more'.
The guiding principle was discipline:
Imagine your webpage is a big family dinner where every dish (tag) needs a matching lid (closing tag),
and there is a seat at the table for every person (element) in the exact order they arrived.
In XHTML,
the requirement that each dish is perfectly covered is
like having a strict head chef
who will not let a single plate go out if a spoon is missing or a napkin is folded incorrectly;
One tiny slip and dinner is cancelled.
But strictness ran into friction with real-world usage.
Most web browsers, both old and new, were written to be forgiving;
rather than throwing an error, they usually tried to fix sloppy markup behind the scenes.
That meant developers rarely saw the benefits of writing perfectly valid XHTML.
Worse, if a browser decided to strictly follow the XML rules to the letter,
then a single unclosed tag or malformed attribute could make the site refuse to load completely.
This made debugging an exercise in frustration, with some browsers displaying content and others showing a blank page.
Problems with Third-Party Code
As websites grew more complex and started relying on external services,
XHTML's strictness became even more of a headache.
Pages often included third-party code ℹ️ for analytics,
comment sections, or advertising networks.
This code was not always written with XHTML's zero-tolerance policies in mind;
it might have an unescaped ampersand or a missing closing tag.
Under XHTML's rigid rules, that tiny error in someone else's script could break an entire site.
Even if the hosting browser was willing to overlook such minor issues,
the mismatched rules or improper syntax would still cause intermittent rendering problems for site visitors.
Why HTML5 Took Over
Eventually, the Web Standards Project and browser vendors recognised that the markup world needed a practical approach,
one that balanced clean code with the realities of how sites are built and maintained.
This led to HTML5, which introduced:
- Tolerance for Minor Mistakes
HTML5 is the patient host who'll give everyone a seat even if the silverware isn't in the right place.
You can still aim for tidy table settings, but a small oversight will not have your guests turned away at the door.
This more relaxed approach keeps the meal on track,
especially when uninvited guests, those third-party scripts, show up with mismatched forks and knives.
- Built-In Modern Features
Easy elements like
<video>ℹ️,
<audio>ℹ️,
and more semantic tags such as <header>ℹ️ and <section>ℹ️ make
creating rich,
accessible sites simpler.
- Easier Maintenance
In a fast-paced environment where sites are updated constantly,
HTML5's "best-effort" approach to rendering code helps keep content live and reduces debugging nightmares.
For Alpha-Fox's website,
moving from XHTML to HTML5 eliminates the all-or-nothing rigidity
that once caused seemingly random failures when third-party code contained small mistakes.
Now, we can add modern features with greater confidence that browsers will handle them gracefully.
The shift to HTML5 ultimately mirrors the evolution of the entire web.
Trailing Slash & Lowercase Enforcement
Tornado Siren pointed out we should fix canonical URL quirks ℹ️ ,
I have spent some time
making sure our CMS now handles things like enforcing trailing slashes and converting paths to lowercase.
Web crawlers rejoice!
Flickr Integration Fix
The ASN page no longer displays broken Flickr content. One minor fix for media, one giant relief for user sanity.
Think of website metadata like the labels on a file folder;
It tells people (and machines) what is inside at a quick glance.
By carefully adding meta-tags for social previews
(Facebook ℹ️,
Twitter ℹ️,
LinkedIn ℹ️)
messaging platforms (like Discord or Telegram)
and search engines (Google, Bing, Yandex, etc.), we're effectively putting bright, clear stickers on our content.
These labels help ensure the preview looks attractive and correct when someone shares a link to the page or post.
When search engine "spiders" arrive, they know exactly what to expect.
JSON-LD
If your web content were an item in a museum,
JSON-LD ℹ️ is the tidy little placard
that describes exactly what it is and why it's important.
It's a structured data format that tells search engines about the nature of the page,
whether it is a news article, product listing or event.
This makes it easier for them to show rich, detailed results (like those special boxes in Google Search).
Dublin Core
Picture Dublin Core ℹ️ as a standardised library catalogue system for the web.
It's a set of metadata ℹ️
Conventions were initially developed to organise digital and physical resources.
Adding Dublin Core to the pages, especially for the news posts and Stargate pages,
provides additional clarity about whom, what, when and how.
This standard can help academic databases, archives and specialised search engines index the content more effectively.
Because we've introduced these precise markers for each page, "spiders"
(aka crawlers or bots) and link previews can quickly recognise, categorise
and display our content.
In other words, they are grateful we took the time to show them around!
Sitemaps & Robots
If metadata is the site's labelling system,
sitemaps ℹ️ are the master table of contents.
Each sitemap is like a neatly drawn map
that points out all the crucial sections of the website so search engines can quickly find every last nook and cranny.
We created specialised sitemap generators for the ASN database, news content and various resources;
each significant area has its own blueprint for search engine crawlers to follow.
However, when working with Yandex, we ran into a particular quirk;
it was picky about specific news extensions in our sitemap.
Think of it like a guest who loves the cooking but refuses to eat a particular spice.
Rather than offending the guest, we simply removed that ingredient (the problematic extensions),
making our sitemaps Yandex-friendly.
Meanwhile, the robots.txt file ℹ️ is like the bouncer at a club's entrance,
except it's the friendliest bouncer you'll ever meet.
It politely tells search engine crawlers where they can and cannot go on the site.
Placing rules in robots.txt ensures that unimportant or sensitive areas are off-limits to prying virtual eyes.
In contrast, the main content areas are front and centre.
All these steps combined help search engines, messaging apps and social networks properly understand, categorise,
and display our website.
It's like inviting a team of expert librarians to organise your digital house and ensuring every "visitor"
(human or robot) can find precisely what they need quickly and elegantly.
Removed Legacy addslashes()
The legacy forum bizarrely called addslashes()
to replace all various _REQUEST fields, which led to situations like when Stargates were edited on the site,
people using ' characters would find their Stargate's profile had swapped that with \' after.
This corruption has been fixed.
Errors are now pulled from Markdown templates
We now pull error pages from Markdown ℹ️ templates,
and we've published those on our GitHub;
you're welcome to make pull requests for any changes!
Quality of Life Improvements
Virtual Interface SLURLs
Offline Virtual Interfaces now show clickable SLURLs ℹ️,
so you can jump right to them (when they're back online).
Additional Admin Visibility
Administrators can see more Stargate details through the website interface, avoiding manual database spelunking.
LLM News Summaries
Exclusively to generate concise summaries for meta-descriptions ℹ️ and article previews,
I enlisted the help of a large language model ℹ️.
It did a brilliant job condensing all our news posts, so well,
in fact, that I completely exhausted my monthly AI credits in the process.
Oops!
Search now offers a "New" sorting option for Stargates
This sorts the Stargates search results by the date they were first initialised, which is great for exploring new gates!
Staff Profiles Marked
Staff profiles will have relevant identifiers marked on them.
Chevron stickers
Lex Mars has kindly contributed some beautiful Chevron stickers
inspired by the Milky Way and Pegasus Stargates, which we now use on our Discord.
Font Updates for Legibility
We have switched the fonts on the website to something slightly more modern so that the text is overall more legible.
Table of Contents Now Supported in Website Markdown
We've developed a custom Markdown extension that automatically generates a Table of Contents.
Simply including a special level-2 heading with the "ToC" keyword will insert a ToC for the page.
This enhancement improves navigation across our Markdown-based content, including news posts, manuals, etc.
We have also retroactively updated all relevant news posts and the ASN manual to use this feature.
Final Thoughts
This month saw a significant boost in security and standards across Alpha-Fox.
From unveiling new password hashing and session management
to modernising our backend with UTF-8 and our frontend with HTML5
and retiring the very last of our legacy forum code,
we have dramatically strengthened the foundation of our systems.
We could not have done this alone.
Our community members, whether by testing features, uncovering obscure bugs
or simply sharing ideas, have been invaluable in guiding our work.
Every report and suggestion helped shape these improvements,
from patching security holes to refining the user experience.
Outside the last bit of forum system removal, here is a snapshot of our development output this month:
- 231 commits - 69% increase over last month
- 34 files added
- 29 files deleted
- 464 files changed - 42% increase in scope over last month
- 50,325 insertions (+) - more focused additions despite fewer new files
- 39,543 deletions (-)
And that is not even counting the clean sweep that removed 99 outdated forum files and over 20,000 lines of legacy code.
By trimming this dead weight, we have positioned Alpha-Fox for easier maintenance and far more robust security,
all thanks for your patience and feedback.
--Ash Qin
Ash Qin
