Changelog

March 2026

Major security update to align backend implementation with our Privacy Policy and Terms & Conditions commitments. New Features:

Account deletion endpoint (DELETE /api/users/me/account) — DPDPA Right to Erasure compliance
Account suspension system — admin can suspend/unsuspend users, all sessions invalidated on suspend
Persistent IP blocking — malicious IP bans now stored in MongoDB (survive restarts)
Automated threat detection — brute-force and credential stuffing patterns detected every 15 minutes
Scheduled security cleanup — expired sessions, tokens, rate limits auto-cleaned every 6 hours

Security Headers:

Browser routes now include Strict-Transport-Security, X-Frame-Options, Content-Security-Policy, Referrer-Policy, Permissions-Policy
Developer API routes include Cache-Control: no-store, X-RateLimit-* headers instead of browser-specific headers

Fixes:

MongoDB TLS certificate validation now configurable (was hardcoded to skip validation)
Developer API suspension check added — suspended users blocked from API key access
Rate limit info now returned in X-RateLimit-* response headers for developer API

Admin Endpoints:

Updated Privacy Policy with comprehensive DPDPA 2023 compliance:

Key definitions (Data Fiduciary, Data Principal, Processing, Publicly Available Data)
Detailed data source breakdown (MCA V2/V3, GST, MSME portals)
Legal basis for processing (5 legal bases with balancing test)
Full DPDPA user rights (access, correction, erasure, portability, withdraw consent)
Grievance redressal mechanism (7-day acknowledgment, 30-day resolution)
Data accuracy disclaimers and liability protections
Children’s privacy protections (under-18)
International data transfer safeguards

Run Screener endpoint (POST /api/screener/screeners/{id}/run) — execute a saved screener and get matching results in real-time