Changelog entry
Supporter checkout origin hardening (Issue #760)
2026-03-31
- In production, supporter Stripe redirect origin resolution now requires a configured canonical app base URL and rejects request-header fallback to prevent host-header origin spoofing.