Changelog

Added

• This /changelog page itself, in EN and RU, with hreflang and an entry in sitemap.xml.
• Home page: a Quick glossary section (Mock API, Endpoint, TTL, Faker token, Content-Type) for readers landing here without context.
• Home page: a Who built this block with author bio and direct links to GitHub, LinkedIn, Telegram — and a Why I built Quickmock personal-story section, so the page isn't a faceless tool landing.
• Visible Last updated stamp at the bottom of the home page; dateModified mirrored into the WebApplication JSON-LD so AI crawlers see freshness.

Fixed

• ?lang=<code> in the URL now actually serves that language. Previously the canonical / hreflang links pointed at ?lang=ru but the resolver only read the cookie and Accept-Language, so a bot following the hreflang link saw English content — the multilingual signal was a lie.

Security

• Origin hardening for /m/*: the public mock router now strips request-altering headers a malicious caller could use to confuse downstream proxies, slugs were lengthened (more entropy), and internal error messages are redacted before they reach the wire — no DSN fragments, no stack frames.
• Language switcher (POST /language) now accepts same-origin absolute Referers, so the redirect-back path works behind reverse proxies that rewrite the Referer header. Cross-origin Referers are still rejected.

Fixed

• RealIP middleware now trusts X-Forwarded-For / X-Real-IP when the immediate peer is loopback or a private/link-local address. Previously XFF was honored only for loopback peers, so behind Docker Compose every request was attributed to the bridge gateway (e.g. 172.18.0.1) — making creator_ip and request_ip useless and turning the per-IP mock limit into a global one.
• Mock router now stores incoming request headers with lowercased keys, so request_headers->>'user-agent' works regardless of wire casing.
• UI: slug examples updated to the new 12-char format; Copy-URL button restored on the mock detail page.

Added

• Footer disclaimer and Terms-of-use modal: mocks are user-generated content, prohibited categories (malware, phishing, CSAM, attack infrastructure) are spelled out, and an abuse-report channel is published.
• Footer modal stays usable on small viewports — close button is no longer clipped on mobile.

Added

• Faker / now token substitution in response bodies: {{`{{faker.uuid}}`}}, {{`{{faker.email}}`}}, {{`{{faker.name}}`}}, {{`{{now.iso8601}}`}}, plus 18 more (people, IDs, network, text, time). The mock stores the template as-is and renders fresh random values on every hit, so one mock can serve different data per call. Full list lives under Dynamic tokens on the create form.

Fixed

• Docker Compose deploy now waits for the --wait healthcheck instead of polling /healthz in a shell loop, so deploys no longer print the cosmetic curl: (52) Empty reply while the proxy and Go process finish racing.
• POSTGRES_PASSWORD example in .env.example now warns against base64-encoded values — pgx's DSN parser chokes on + / = in the password.

Added

• Core mock engine: create, view, edit, delete; all HTTP methods including ANY.
• Public /m/:slug router with configurable status, body, headers, response delay (0–30 s), and TTL.
• Live request inspector: HTMX 2-second poll, per-mock counter, clear-logs.
• cURL import — paste a curl … command to pre-fill the create form.
• Code snippets on the mock detail page for JavaScript, Python, Go, and PHP.
• Read-only share preview at /share/:slug with Open Graph tags.
• Per-IP rate limit (5000 hits / 8 hours) and per-IP active-mock cap (50).
• 512 KB max response body, enforced by handler and a DB CHECK constraint.
• Docker Compose stack (app + Postgres + Redis + one-shot migration container) and a bare-metal systemd path.
• EN + RU localization, language switcher (cookie + Accept-Language).
• Privacy by design: no third-party JS, no analytics, no fonts CDN; CI enforces this on every build.