Skip to content

Fix title leak for unauthorized viewers#12

Open
chruffins wants to merge 1 commit into
mainfrom
hide-title
Open

Fix title leak for unauthorized viewers#12
chruffins wants to merge 1 commit into
mainfrom
hide-title

Conversation

@chruffins

Copy link
Copy Markdown

Summary

generateMetadata was calling findBySlug and using the doc's title unconditionally, which meant the browser tab / <title> tag would show a private doc's real title even when the page itself rendered a 404. An unauthorized viewer (or a bot crawling the page) could infer the existence and name of a private doc.

Fix

The metadata function now runs the same authorization check (canViewSession) that ViewerPage uses before revealing the doc's title. If no doc is found or the viewer isn't authorized, the title defaults to the neutral "justhtml.sh".

@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
justhtml Ready Ready Preview, Comment Jul 14, 2026 1:53pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant