fix: security issue fixed by not assigning download blob url to button, instead create a html element and auto click it for download

backend/server.ts

@@ -6,7 +6,12 @@ import { colorConvert } from "./src/routes/colorconvert.route";
 
 const app = Fastify({ logger: true });
 
-app.register(cors, { origin: "*", exposedHeaders: 'Content-Disposition' });
+app.register(cors, {
+  origin: "*",
+  exposedHeaders: "Content-Disposition",
+  methods: "POST",
+  allowedHeaders: "Content-Type",
+});
 app.register(multipart);
 app.register(libreConvert);
 app.register(colorConvert);

backend/src/routes/libreconvert.route.ts

@@ -69,6 +69,7 @@ export async function libreConvert(app: FastifyInstance) {
             "Content-Disposition",
             `attachment; filename="converted${outputFileExt}"`,
           )
+          .status(200)
           .send(convertedBuffer);
       } catch (error) {
         console.error("Convert error:", error);