From b974ff17b0bff78029db7ecd00fc6c7d203b6309 Mon Sep 17 00:00:00 2001
From: mkilijanek <mkilijanek@users.noreply.github.com>
Date: Sun, 8 Mar 2026 20:21:04 +0100
Subject: [PATCH 1/3] security: enforce upstream TLS certificate and hostname
 verification

(cherry picked from commit 376168c7a0caab8ec83d7abd477d27560e72f1a9)
---
 core/interceptor.py | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/core/interceptor.py b/core/interceptor.py
index 8f56e6e..70a08da 100644
--- a/core/interceptor.py
+++ b/core/interceptor.py
@@ -558,9 +558,7 @@ class TLSContextFactory:
 
     @classmethod
     def client_context(cls, alpn: List[str] = None) -> ssl.SSLContext:
-        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
+        ctx = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
         ctx.minimum_version = ssl.TLSVersion.TLSv1_2
         try:
             ctx.set_ciphers(cls.CIPHERS)
@@ -574,8 +572,6 @@ def client_context(cls, alpn: List[str] = None) -> ssl.SSLContext:
     def server_context(cls, cert_path: str, key_path: str, alpn: List[str] = None) -> ssl.SSLContext:
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
         ctx.load_cert_chain(certfile=cert_path, keyfile=key_path)
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
         ctx.minimum_version = ssl.TLSVersion.TLSv1_2
         try:
             ctx.set_ciphers(cls.CIPHERS)

From fd51431ada16fe9791274779b7f845bf8bf9c02c Mon Sep 17 00:00:00 2001
From: mkilijanek <mkilijanek@users.noreply.github.com>
Date: Sun, 8 Mar 2026 16:40:20 +0100
Subject: [PATCH 2/3] chore: add dependabot configuration

(cherry picked from commit 9307fa2e764e998f48a8e6627b5a4a53e7a674a5)
---
 .github/dependabot.yml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..f886aed
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,37 @@
+version: 2
+updates:
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+      timezone: "Europe/Warsaw"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "python"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:15"
+      timezone: "Europe/Warsaw"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "docker"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:30"
+      timezone: "Europe/Warsaw"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "github-actions"

From ab4ca43bd8d4529c14929956562516b15c9d63ee Mon Sep 17 00:00:00 2001
From: mkilijanek <mkilijanek@users.noreply.github.com>
Date: Sun, 8 Mar 2026 16:41:58 +0100
Subject: [PATCH 3/3] ci: add advanced CodeQL workflow

(cherry picked from commit 77f8c749658cb9f2b4e6fa31657ba014956be204)
---
 .github/workflows/codeql.yml | 73 ++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..fc4aff6
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,73 @@
+name: CodeQL Advanced
+
+on:
+  push:
+    branches:
+      - main
+      - master
+      - dev
+  pull_request:
+    branches:
+      - main
+      - master
+      - dev
+  schedule:
+    - cron: '23 3 * * 1'
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  packages: read
+  security-events: write
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: python
+            build-mode: none
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-and-quality
+          config: |
+            paths-ignore:
+              - media/**
+              - '**/__pycache__/**'
+              - '**/*.md'
+
+      - name: Set up Python
+        if: matrix.language == 'python'
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies (Python)
+        if: matrix.language == 'python'
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: /language:${{ matrix.language }}