- Fix webauthn.js CSRF token: read HMAC header value from
body hx-headers attribute instead of cookie nonce
- Update profile labels to mention security keys/FIDO2
alongside passkeys
Security: CSRF double-submit was broken for fetch()-based
WebAuthn requests — JS was sending the cookie nonce as the
header value instead of the HMAC. Fixed by reading the
server-rendered header token from the DOM.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Kyle Isom
446b3df52d