Hey Actifitters! ๐ช Version 1.10.0 is here, and this one is packed! While it might look business-as-usual on the surface, under the hood we've been fortifying the platform like never before โ hardening security on every front, making rewards smarter and more trustworthy, and giving the signup experience a full makeover. Let's break it all down!
Here's what's new across Actifit:
โ๏ธ Signup Page: A Whole New Experience!
The signup page received a complete UX redesign โ same great functionality, but now much clearer, friendlier, and fully translated:
- ๐ช Step Indicator: A clean 3-step progress bar (Account Details โ Activate โ Done!) guides new users through the signup process at a glance. No more wondering "what's next?"
- ๐ณ Fee Explanation Card: A dedicated card explains exactly what the account creation fee goes toward, with a collapsible "Why is there a fee?" section for curious users.
- โ FAQ Accordion: The most common signup questions are now answered right on the page โ no need to search Discord or docs.
- ๐ Full i18n Coverage: All new signup content is fully translated across all 14 supported languages. Every new user, wherever they are, gets the same polished experience.
- ๐ Dark Mode Ready: All new UI elements respect the dark/light mode toggle โ no more jarring white boxes in dark mode.
๐จ Developer Experience: Code Blocks Look Amazing!
- โจ Syntax Highlighting: Code blocks in posts and reports now render with beautiful syntax highlighting powered by highlight.js. 18 languages supported out of the box โ JavaScript, Python, Rust, Go, SQL, YAML, and more. Developers, your posts just leveled up.
๐ก๏ธ Landing Page: Your Security, Our Priority!
This release is heavy on security โ every reward path, every piece of user content, and every credential flow got a thorough audit and tightening:
- ๐ณ๏ธ Votes Now Carry On-Chain Proof: When you vote on a post through Actifit, we now broadcast a bundled
custom_jsonoperation alongside your vote โ atomically, in a single transaction. This on-chain activity stamp lets our backend verify real votes before issuing rewards. No faking it! - ๐ Reward Endpoints Locked Down: All three reward flows (votes, edits, comments) now validate inputs, enforce rate limits, and verify a signed auth token before any reward can be issued. Spamming rewards is no longer a thing.
- ๐ซ Iframe Hosts Strictly Allowlisted: Embedded content in posts is now restricted to a trusted list of media hosts only โ YouTube, 3Speak, Vimeo, Rumble, D.Tube, Facebook. Arbitrary embeds are blocked outright, keeping your feed safe from malicious content.
- ๐งน CSS Injection Patched: Dangerous CSS properties (position, z-index, top/left/right/bottom, pointer-events) in post content are now stripped server-side and client-side โ no more phishing overlays hiding inside posts.
- ๐ Signup Credentials Secured: Account credentials are now sent via POST body to our server-side proxy instead of a GET query string. Your new account password no longer appears in server logs or browser history. A small change with big privacy implications!
- โ Access Token Validation on Login: The SC access token is now validated before being written to localStorage, preventing invalid or tampered tokens from silently corrupting your session.
- ๐ก๏ธ Mod Panel XSS Fix: The moderator panel now uses
textContentinstead ofinnerHTMLwhen rendering API results โ closing an XSS vector in an admin-facing page. - ๐ Markdown Link Rendering Fixed: A rendering pipeline bug that was silently corrupting markdown links inside post bodies has been resolved.
๐ Reward System: On-Chain Verification, End to End!
The reward system got the biggest upgrade in this release โ everything is now verified against the actual Hive blockchain before any AFIT reward is granted:
- ๐ณ๏ธ Vote Rewards Verified On-Chain: Before rewarding a vote activity, actifitbot now queries the Hive account history and confirms at least 3
actifit_votecustom_json operations were broadcast today. If you didn't actually vote, no reward is issued. - โ๏ธ Edit Rewards Verified On-Chain: Before rewarding a post edit, actifitbot fetches the post via
get_contentand checks thesuppEdit: 'actifit.io'field in its metadata โ proof the edit was made through the Actifit interface. Edits made elsewhere don't qualify. - ๐ฌ Comment Rewards Verified On-Chain: Comment rewards now require at least 3 qualifying on-chain comment operations today (replies to posts, not top-level content). Minimum 50 characters per comment. Quality engagement only!
- ๐ซ Phantom Account Rewards Blocked: actifitbot now rejects any reward grant for a username that doesn't correspond to a real Hive account. No rewards for ghost users.
- ๐ AFIT Reward Estimation Endpoint: A new
/getEstimatedRewardendpoint is now available on actifitbot, letting the app display estimated AFIT rewards to users before they complete an action.
โ๏ธ Under the Hood
- ๐ง URL Normalization: All reward callers now correctly normalize relative Hive API URLs to absolute
https://actifit.io/...URLs โ no moreurl=undefinederrors in reward requests. - โฑ๏ธ Timing Race Fixed: Blog and video post creation now pre-captures the post URL before the 2-second redirect fires, ensuring the 10-second reward timer always has the right URL โ even after the component unmounts.
๐ฆ X (Twitter) Social Integration: Richer & More Reliable
The /latestXPost endpoint powering the social feed has been significantly expanded:
- ๐ฐ Two Latest Tweets: The feed now returns your two most recent posts instead of just one โ more activity, more context, at a glance.
- ๐ผ๏ธ Tweet Media Photos: Images attached to tweets are now included in the response, with a graceful fallback to the account profile image when no media is present.
- ๐ค Profile Image in Response: The account's profile picture URL is now always included โ useful for rendering rich cards in the app.
- ๐ Credential Resilience: The X API credential lookup now falls back to environment variables when they aren't present in the config file, so the integration stays live through config reloads.
๐ฐ BSC Prices & Rewards: Rock Solid After Web3 v4 Upgrade
- ๐ง BSC Price Endpoints Fully Restored: The Web3 library upgrade to v4 broke all BSC-based price calculations (BNB, AFIT BSC, AFITX BSC, DEX trade) by changing how
fromWei()and contract calls handle types. All calls have been updated โ units are now explicit, BigInt results are properly converted, and price precision is raised to 6 decimal places for accuracy. - ๐ Live Step Count in Reward Estimates: The
/getEstimatedRewardendpoint now factors in the user's live step count submitted directly from the app, giving a much more accurate reward estimate before the activity is finalised. - ๐ก๏ธ calcRank Hardened: The rank calculation is now guarded against
undefinedbalanceOfresults โ no more silent failures when a token balance call returns unexpectedly.
๐ Landing Page: Security Hardening Round 2
Following a thorough re-check audit (AUDIT-046), a second wave of security fixes has landed on the landing page:
- ๐ Open Redirect Closed: Notification click-throughs now validate the destination URL scheme before navigating. Only
http://andhttps://links are followed; anything else (includingjavascript:URLs) falls back to the notifications page. - โ
URL Sanitiser Implemented: The
$safeUrl()helper โ previously a no-op that passed all URLs through unchecked โ now enforces an allowlist of safe schemes (http,https,mailto,tel,hive,steem,hivesigner). Dangerous schemes are replaced with#. - ๐ผ๏ธ Profile Image Upload Secured: Profile picture uploads now route through the server-side proxy (which injects the upload key), removing the last dead client-side secret reference from the frontend bundle.
- ๐จ CSS Sanitiser Extended: The post-content CSS strip now also removes
background-imageandbackgroundproperties, and drops any style rule whose value containsjavascript:orexpression()โ closing the final browser-mitigated CSS vector flagged in the audit. - ๐ Security Headers Enabled: The
nuxt-helmetconfiguration is now active with HSTS (180-day max-age),X-Content-Type-Options: nosniff,X-XSS-Protection,Referrer-Policy: strict-origin-when-cross-origin, andX-Powered-Byremoval. Previously the entire header config was commented out. - ๐ Reverse Tabnabbing Fixed Across the Board: All 102 external links using
target="_blank"across the app now includerel="noopener noreferrer", preventing the opened tab from accessing the opener window. - ๐งน Console Logs Stripped from Production: All
console.logand related calls are now automatically removed from production bundles via the terser config โ nothing leaks to the browser devtools in production.
โ๏ธ DevOps & Stability
- ๐ Automated Deployment Pipeline: actifitbot now ships with a GitHub Actions workflow that automatically deploys to the production servers on every push to the main branch โ no more manual
git pullsteps. - ๐ Silent Bugs Eliminated: 27 implicit global variables across actifitbot have been declared with
const, eliminating an entire class of potential runtime leaks and making the codebase compliant with strict mode.
A special shoutout and thank you goes to 
We're constantly raising the bar on what it means to be a secure, trustworthy fitness-to-earn platform. This release is a testament to that commitment โ every reward you earn is now backed by real on-chain proof, and every piece of your data is handled with the care it deserves.
Keep moving, keep earning, and as always โ thank you for being part of the Actifit journey!
Happy Actifitting!
The Actifit Team
Support Our Work!
Do you love the Actifit updates and the dedication we put into making your fitness journey more rewarding? Then show us some love! Your support means the world to us and helps us keep building awesome features and improving the platform.
Support our witness 
on Hive, vote for us or set us as proxy on actifit profile, or via peakd, hive blog or hive-signer.
Support our witness 
on Hive-engine, vote for us on Tribaldex.
Questions? Suggestions?
Let us know in the comments below, or reach us on:
Discord | Twitter | Instagram | Facebook
Stay Fit. Earn Crypto. Live Better.
- The Actifit Team ๐