What we've shipped.
Changes to the product and the public site, newest first. User-visible items only — no whitespace cleanups, no sitemap regenerations.
No more WordPress dependency SECURITY
All assets (favicons, logos, screenshots, install graphics) now live on RDS infrastructure. The console survives the upcoming WordPress corporate-site decommission.
Cookie banner sits above the mobile bottom-nav UPDATE
The cookie consent banner's action buttons are no longer hidden behind the app-style bottom navigation on phones.
Map view: properly sized on phones FIX
/pantalles.php?vista=mapa now measures the available viewport and hides UI chrome that was obstructing the map on phones.
List views: column widths tidied FIX
Every column fits in any screen width with no horizontal scroll. Name column pinned to 280px for stable rendering.
Recycle bin for media NEW
Deleted images and videos move to a recycle bin and stay 30 days before being purged. Recoverable.
Drag-and-drop upload NEW
Modern dropzone with preview, real MIME validation on the server, 2 MB image cap, and an extension whitelist.
Stripe webhook: replay protection SECURITY
Every Stripe event is recorded in an idempotency ledger; if the webhook fires twice, it is not processed twice.
Library cleanup UPDATE
jQuery 3.1.0 → 3.7.1, jQuery UI 1.12.0 → 1.13.3, PHPMailer 6.0.5 → 6.9.3, blueimp File Upload → 10.32.0. nuSOAP and PHPMailer 5.2 retired.
Security audit completed SECURITY
Full audit cycle: Critical, High, Medium and Low items remediated across three phases. Tenant boundary (cf_empresa) enforced on every gestió endpoint.
Security headers on every response SECURITY
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy applied to every server response.
App-style mobile experience NEW
New bottom navigation on ≤1024px (Devices / Content / Playlist / Profile / More). Device, video, image and playlist lists render as compact cards on phones. jQuery UI dialogs fit any phone viewport.
Strong password policy SECURITY
NIST-style: 12-character minimum, blocks 1,197 breached passwords, no trivial sequences or username/email reuse. Enforced on every password form.
Strength meter + show/hide password NEW
Live meter (bar + label + rule checklist) on every password form. Detects breached passwords client-side. Eye toggle to show/hide.
Token-based password reset SECURITY
One-time SHA-256-hashed reset token, 1-hour TTL, rate-limited (1 reset per 3 minutes), no account enumeration. Replaces the old plaintext-password-email flow.
Bot protection on register NEW
Honeypot + 3-second time-trap. Blocks automated signups before any DB write.
Configurable bulk send NEW
Bulk send to all subscribers with configurable From and Reply-To. Per-user GDPR-aligned unsubscribe link included.
"Resume subscription" button on Profile UPDATE
For canceled subscriptions, a green button reactivates with a single click instead of re-running the full signup flow.
Restyled error page NEW
New error page in the app style, translated to all 5 languages (EN/ES/CA/FR/PT).