Wealthfolio logo Wealthfolio
Download
3.0.4
Mar 05, 2026

v3.0.4 brings portfolio filters, persistent table sorting, better crypto precision, stronger security, and important updates for self-hosters.

What’s New

  • Securities portfolio filter — The securities list now defaults to showing only your currently held assets. Switch between “Current” and “Past” holdings to find what you need faster.
  • Persistent table sorting — Your sorting preferences on data tables are now remembered across sessions. (#671)
  • Better crypto precision — Increased decimal precision from 6 to 8 digits, so fractional crypto holdings (e.g. 0.00012345 BTC) are tracked accurately.
  • Search activities by notes — You can now search your activities using text from the notes field. (#662)
  • AI provider feedback — Adding or removing AI API keys now shows clear success/error notifications.
  • Smarter update checks — Update checks are cached to avoid redundant network calls, with a manual “force refresh” option. (#663)

Security Improvements

  • Stronger session security — Login sessions now use secure, HttpOnly cookies instead of browser-stored tokens, protecting against common web attacks like XSS.
  • Login rate limiting — Login attempts are limited to 5 per minute per IP address to prevent brute-force attacks.
  • Stricter CORS policy — Wildcard origins (*) are no longer allowed when authentication is enabled. You must specify your exact allowed origin.
  • Improved secret key handling — Encryption keys are now derived using industry-standard HKDF-SHA256. Existing secrets are migrated automatically on startup — no action needed.

Bug Fixes

  • AI assistant — Fixed Ollama model selection so the chosen model always matches what’s available. Also fixed /v1 URL handling that caused 405 errors. (#665)
  • Keyboard shortcuts — The search shortcut in the sidebar now shows the correct key for your platform (Cmd+K on Mac, Ctrl+K on Windows/Linux). (#670)
  • Performance chart — Improved chart width and disabled animation on mobile for smoother rendering.
  • Sheet layout — Fixed padding on sheet overlays for better visual spacing.
  • Timezone settings — Simplified timezone detection by removing the confusing auto-detected field.
  • Device sync pairing — Improved snapshot handling and UI updates during the device pairing flow.
  • Cloud sync sessions — Sessions are now automatically restored on page reload, so you don’t need to re-authenticate as often.

For Self-Hosters (Docker / Web Mode)

Breaking Changes

  1. CORS wildcard no longer allowed with auth — If WF_AUTH_PASSWORD_HASH is set, you must set WF_CORS_ALLOW_ORIGINS to an explicit origin (e.g. https://wealthfolio.example.com).

  2. Auth required on non-loopback addresses — Binding to 0.0.0.0 now requires either WF_AUTH_PASSWORD_HASH to be set, or WF_AUTH_REQUIRED=false to explicitly opt out (e.g. when a reverse proxy handles auth).

  3. OpenAPI schema moved — Now served at /api/v1/openapi.json (requires authentication when auth is enabled).

New Environment Variable

VariableDefaultDescription
WF_AUTH_REQUIREDtrueSet to false to run without authentication on non-loopback addresses (e.g. behind a reverse proxy)

What to Do

  • Docker Compose users: Set WF_CORS_ALLOW_ORIGINS to your actual domain in your .env.docker or compose.yml. If you run without auth behind a reverse proxy, add WF_AUTH_REQUIRED=false. Review the updated compose.yml and README.md.
  • Reverse proxy users: Ensure your proxy preserves Cookie and Set-Cookie headers for /api paths. The session cookie uses SameSite=Strict and Path=/api.
  • SSE / frontend clients: EventSource connections now authenticate via cookie (withCredentials: true). Query-param token passing has been removed.