This page only lists user-relevant product changes. Sensitive security details, secrets, personal data and private operational notes are intentionally excluded.
FixedArea: SecurityImpact: medium
Account and checkout actions are more tightly protected
Sensitive browser actions now reject unexpected cross-origin requests and use safer public URL handling.
- Account, admin, upload, FACEIT, Stripe, contact, and tRPC write actions now require a trusted same-origin request.
- OAuth and checkout redirects now use trusted ClutchCoach origins instead of raw browser headers.
- Public structured data and OAuth callback messages are rendered with safer escaping.
FixedArea: SecurityImpact: low
Upload and analysis safeguards were tightened
Demo analysis now rejects invalid demo files earlier and applies clearer abuse protections to costly actions.
- Invalid demo uploads fail earlier with stricter server-side checks.
- Costly actions such as uploads, checkout starts, and training plan generation have extra abuse protection.
- Internal maintenance tasks now fail closed on unsafe configuration drift.
ChangedArea: FACEITImpact: high
FACEIT demo import now runs through the API
Eligible FACEIT matches can now be imported without manually downloading the demo file.
- The FACEIT import button now queues the demo and lets the analysis worker download it on the demo-processing server.
- Queued FACEIT imports also recover if an older job points to a demo file that is not present on the worker.
- The app copy now points players to FACEIT match import instead of the old manual-only workaround.