Hartmut
9e31c6d972
- public-holidays cron: replace fail-open inline auth check with verifyCronSecret (was open to unauthenticated access when CRON_SECRET unset) - /api/perf: replace timing-unsafe string comparison with verifyCronSecret - /api/health: strip baseUrl and latency fields from response to avoid leaking infrastructure details (NEXTAUTH_URL config, internal timings) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>