fixing some seucirty issues

public/index.html

@@ -471,6 +471,7 @@ async function checkAuth() {
       document.getElementById('settingsUser').textContent = res.user.username + ' (' + res.user.user_token.substring(0, 12) + '...)';
       document.getElementById('appLogin').style.display = 'none';
       document.getElementById('appMain').style.display = '';
+      fetchCsrf();
       initApp();
       return true;
     }
@@ -547,11 +548,24 @@ function loadPage(name) {
 }
 
 // --- API Helpers ---
+let csrfToken = '';
+
+async function fetchCsrf() {
+  try {
+    const res = await api('/auth/csrf', { method: 'GET', noCsrf: true });
+    csrfToken = res.csrf_token || '';
+  } catch {}
+}
+
 async function api(path, opts = {}) {
-  const res = await fetch(API + path, {
-    headers: { 'Accept': 'application/json', ...(opts.body ? { 'Content-Type': 'application/json' } : {}) },
-    ...opts,
-  });
+  const headers = { 'Accept': 'application/json' };
+  if (opts.body) {
+    headers['Content-Type'] = 'application/json';
+  }
+  if (opts.method && opts.method !== 'GET' && !opts.noCsrf && csrfToken) {
+    headers['X-CSRF-TOKEN'] = csrfToken;
+  }
+  const res = await fetch(API + path, { headers, ...opts });
   const data = await res.json();
   if (!res.ok) {
     const err = new Error(data.error || 'Request failed');
@@ -963,7 +977,11 @@ async function loadSettings() {
 
   try {
     const res = await api('/config/telegram');
-    document.getElementById('telegramBotToken').value = res.bot_token || '';
+    if (res.bot_token) {
+      document.getElementById('telegramBotToken').value = res.bot_token;
+    } else {
+      document.getElementById('telegramBotToken').placeholder = res.bot_token_masked || 'Enter bot token';
+    }
     document.getElementById('telegramChatId').value = res.chat_id || '';
   } catch (e) { console.error('load telegram error', e); }