sanitizeImageURL: marketing mailers (Banana Republic, etc.) emit SOH (0x01) instead of = in image query strings → net/url rejected URLs → /api/media/proxy 502. Fixed at normalize + proxy time.ServerName on IP dial, IPv4 preferred over IPv6, manual redirect follow (up to 5 hops).STORAGE_ROOT/camo (not hardcoded relative storage/).User-Agent.style-src: 'unsafe-inline' https: — allows <link rel="stylesheet"> from Google Fonts, T-Bank CDN, and other HTTPS marketing CSS (fonts already allowed via font-src https:).script-src in iframe CSP./api/license: returns app_version (backend binary) and update_channel (stable / beta / alpha from UPDATE_CHANNEL env).vX.Y.Z; version prefers backend app_version over frontend build env.