Trust, in the Details: Account Lockouts, SSRF Hardening and a Brand-New Inbox

The headline of 2.0 is the UI revamp, but a release this size always brings a quieter list of changes that matter just as much. This one ships three of them: automatic account lockouts, an SSRF guard on outbound webhooks, and a complete rewrite of every transactional email WelcomeDesk sends.

Brute-force sign-ins, stopped at the door

Repeatedly guessing a password used to cost an attacker nothing. From 2.0, it costs them access. After a handful of failed attempts WelcomeDesk locks the account automatically, and successive attempts extend the lockout window, slow enough that a credential-stuffing run loses any chance of succeeding, fast enough that a real user who fat-fingered their password just waits a moment and tries again.

For admins, lockouts are visible and reversible. A new Lockouts screen under Settings lists who's currently locked out and lets you unlock anyone in a click. For our internal team there's a platform-wide version of the same screen on the admin portal, so support can resolve a stuck customer without leaning on someone else.

An SSRF guard on every outbound webhook

WelcomeDesk lets you point notifications and webhooks at any URL you like. That power has a sharp edge: a hostile or careless URL could try to reach back into our own infrastructure or scan a private network. We've shut that down.

Every URL you enter for an outbound integration (Slack and Teams webhooks, custom webhook endpoints, ID verification callbacks) now passes through a new SSRF guard. It resolves the hostname, refuses any address in a private or reserved range, and blocks attempts to redirect through one. The result: your webhook can reach the public internet and nothing else.

You won't see it day to day. You'll notice it if you ever paste a URL that points somewhere it shouldn't, and that's the point.

Every email, redesigned and rewritten

The other change you will see is in your inbox. We've rebuilt the entire transactional-email system around a shared design that matches the marketing site (an indigo gradient header, a soft card body, clear typography) and rewrote the copy in the WelcomeDesk voice. Three tones now, all visually consistent:

• Default for visitor and host messages: warmer, more human.
• Alert for watchlist hits and urgent admin alerts: calmer than the old red-banner look, but unmistakable.
• Admin for internal platform notifications: terse and information-dense.

Behind the scenes there's now a single shared template (wrap, headline, body, buttons, detail tables) used by every email the product sends. Pre-registration invites, password resets, watchlist alerts, calendar intake links, the ten admin-alert types: all of them flow through the same building blocks, so we can keep visual consistency as we add more. A superadmin-only preview tool at /admin/dev/emails renders every template with sample data and lets us send a test of any of them. Quiet, but it's how we keep the inbox honest.

Nothing to switch on

All three changes are live now. Lockouts kick in automatically and the unlock screen sits under Settings; the SSRF guard runs in front of every outbound URL field with no configuration; the new emails are simply what arrives in your inbox from today onward. Three small things on their own, but together a quietly more trustworthy product.