Security and resilience improvements: We now only record messages that have been sent over radio to db, standard web interface listening port is now localhost and the webserver now checks the X-Sec-Fetch header and blocks if its not same origin.

docker-compose.yml

@@ -15,6 +15,9 @@ services:
       LORABOT_LLM__BASE_URL: ${LORABOT_LLM_BASE_URL:?set LORABOT_LLM_BASE_URL}
       LORABOT_LLM__API_KEY: ${LORABOT_LLM_API_KEY:-not-needed}
       LORABOT_LLM__MODEL: ${LORABOT_LLM_MODEL:?set LORABOT_LLM_MODEL}
+      # The app defaults to loopback; inside the container we need 0.0.0.0 so the
+      # docker port mapping below can reach it. Restrict exposure at the host port.
+      LORABOT_WEB__HOST: ${LORABOT_WEB_HOST:-0.0.0.0}
     ports:
       # Built-in read-only web UI. Override via LORABOT_WEB_PORT.
       - "${LORABOT_WEB_PORT:-8080}:8080"