diff --git a/copyparty/__version__.py b/copyparty/__version__.py
index 91a7bdf6..9d39a174 100644
--- a/copyparty/__version__.py
+++ b/copyparty/__version__.py
@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 13, 8)
-CODENAME = "race the beam"
-BUILD_DT = (2024, 8, 13)
+VERSION = (1, 14, 0)
+CODENAME = "one step forward"
+BUILD_DT = (2024, 8, 18)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)
diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 34713287..bd2c37fc 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -464,6 +464,9 @@ class HttpCli(object):
 
         zso = self.headers.get("cookie")
         if zso:
+            if len(zso) > 8192:
+                self.loud_reply("cookie header too big", status=400)
+                return False
             zsll = [x.split("=", 1) for x in zso.split(";") if "=" in x]
             cookies = {k.strip(): unescape_cookie(zs) for k, zs in zsll}
             cookie_pw = cookies.get("cppws") or cookies.get("cppwd") or ""
diff --git a/copyparty/util.py b/copyparty/util.py
index 0f879367..eb543434 100644
--- a/copyparty/util.py
+++ b/copyparty/util.py
@@ -1760,7 +1760,7 @@ def read_header(sr: Unrecv, t_idle: int, t_tot: int) -> list[str]:
 
         ofs = ret.find(b"\r\n\r\n")
         if ofs < 0:
-            if len(ret) > 1024 * 64:
+            if len(ret) > 1024 * 32:
                 raise Pebkac(400, "header 2big")
             else:
                 continue
diff --git a/copyparty/web/browser.html b/copyparty/web/browser.html
index e479fa0c..1b730e4f 100644
--- a/copyparty/web/browser.html
+++ b/copyparty/web/browser.html
@@ -67,14 +67,14 @@
 	<div id="op_up2k" class="opview"></div>
 
 	<div id="op_cfg" class="opview opbox opwide"></div>
-	
+
 	<h1 id="path">
 		<a href="#" id="entree">🌲</a>
 		{%- for n in vpnodes %}
 		<a href="{{ r }}/{{ n[0] }}">{{ n[1] }}</a>
 		{%- endfor %}
 	</h1>
-	
+
 	<div id="tree"></div>
 
 <div id="wrap">
@@ -118,11 +118,11 @@
 
 		</tbody>
 	</table>
-	
+
 	<div id="epi" class="logue">{{ "" if sb_lg else logues[1] }}</div>
 
 	<h2 id="wfp"><a href="{{ r }}/?h" id="goh">control-panel</a></h2>
-	
+
 	<a href="#" id="repl">π</a>
 
 </div>
diff --git a/copyparty/web/browser2.html b/copyparty/web/browser2.html
index 4a71282a..7b9053c8 100644
--- a/copyparty/web/browser2.html
+++ b/copyparty/web/browser2.html
@@ -51,11 +51,11 @@
 
 		</tbody>
 	</table>
-	
+
 	{%- if logues[1] %}
 	<div>{{ logues[1] }}</div><br />
 	{%- endif %}
-	
+
 	<h2><a href="{{ r }}/{{ url_suf }}{{ url_suf and '&amp;' or '?' }}h">control-panel</a></h2>
 
 </body>
diff --git a/copyparty/web/md.html b/copyparty/web/md.html
index 8e1722c9..6c03a8b3 100644
--- a/copyparty/web/md.html
+++ b/copyparty/web/md.html
@@ -49,7 +49,7 @@
 		<div id="mp" class="mdo"></div>
 	</div>
 	<a href="#" id="repl">π</a>
-	
+
 	{%- if edit %}
 	<div id="helpbox">
 		<textarea autocomplete="off">
@@ -125,7 +125,7 @@ write markdown (most html is 🙆 too)
 		</textarea>
 	</div>
 	{%- endif %}
-	
+
 	<script>
 
 var SR = {{ r|tojson }},
diff --git a/copyparty/web/splash.html b/copyparty/web/splash.html
index 112b54a7..e979566a 100644
--- a/copyparty/web/splash.html
+++ b/copyparty/web/splash.html
@@ -21,7 +21,7 @@
 			<p id="b">howdy stranger &nbsp; <small>(you're not logged in)</small></p>
 		{%- else %}
 			<a id="c" href="{{ r }}/?pw=x" class="logout">logout</a>
-			<p><span id="m">welcome back,</span> <strong>{{ this.uname }}</strong></p>
+			<p><span id="m">welcome back,</span> <strong>{{ this.uname|e }}</strong></p>
 		{%- endif %}
 
 		{%- if msg %}
diff --git a/docs/changelog.md b/docs/changelog.md
index db1adbf0..4f0efc74 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -1,3 +1,47 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2024-0813-0008  `v1.13.8`  hook into place
+
+## new features
+
+* #86 intentional side-effects from hooks 6c94a63f
+  * use hooks (plugins) to conditionally move uploads into another folder depending on filename, extension, uploader ip/name, file contents, ...
+  * hooks can create additional files and tell copyparty to index them immediately, or delete an existing file based on some condition
+  * only one example so far though, [reloc-by-ext](https://github.com/9001/copyparty/tree/hovudstraum/bin/hooks#before-upload) which was a feature-request to dodge [sharex#3992](https://github.com/ShareX/ShareX/issues/3992)
+* listen on unix-sockets ee9aad82
+  * `-i unix:/tmp/party.sock` stops listening on TCP ports entirely, and only listens on that unix-socket
+  * can be combined with regular sockets, `-i 127.0.0.1,unix:/tmp/a.sock`
+  * kinda buggy for now (need to `--xff-src=any` and doesn't let you set socket-perms yet), will be fixed in next ver
+  * makes it 10% faster, but more importantly offers tighter access control behind reverse-proxies
+    * inspired by https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
+* up2k stitching:
+  * more optimal stitch sizes for max throughput across connections c862ec1b
+  * improve fat32 compatibility 373194c3
+* new option `--js-other` to load custom javascript dbd42bc6
+  * `--js-browser` affects the filebrowser page, `--js-other` does all the others
+  * endless possibilities, such as [adding a login-banner](https://github.com/9001/copyparty/blob/hovudstraum/contrib/plugins/banner.js) which [looks like this](https://github.com/user-attachments/assets/8ae8e087-b209-449c-b08d-74e040f0284b)
+* list detected optional dependencies on startup 3db117d8
+  * hopefully reduces the guesswork / jank factor by a tiny bit
+
+## bugfixes
+
+* up2k stitching:
+  * put the request headers on a diet so they fit through more reverse-proxies 0da719f4
+* fix deadlock on s390x (IBM mainframes) 250c8c56
+
+## other changes
+
+* add flags to disengage [features](https://github.com/9001/copyparty/tree/hovudstraum#feature-chickenbits) and [dependencies](https://github.com/9001/copyparty/tree/hovudstraum#dependency-chickenbits) in case they cause trouble 72361c99
+* optimizations
+  * 6% faster on average d5c9c8eb
+  * docker: reduce ram usage 98ffaadf
+  * python2: reduce ram usage ebb19818
+* docker: add [portainer howto](https://github.com/9001/copyparty/blob/hovudstraum/docs/examples/docker/portainer.md) e136231c
+* update deps ca001c85
+  * pyftpdlib 1.5.10
+  * copyparty.exe: python 3.12.5
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2024-0729-2028  `v1.13.6`  not that big
 
diff --git a/docs/devnotes.md b/docs/devnotes.md
index 78bb5587..9696163b 100644
--- a/docs/devnotes.md
+++ b/docs/devnotes.md
@@ -1,7 +1,7 @@
 ## devnotes toc
 
 * top
-* [future plans](#future-plans) - some improvement ideas
+* [future ideas](#future-ideas) - list of dreams which will probably never happen
 * [design](#design)
     * [up2k](#up2k) - quick outline of the up2k protocol
         * [why not tus](#why-not-tus) - I didn't know about [tus](https://tus.io/)
@@ -27,9 +27,9 @@
     * [discarded ideas](#discarded-ideas)
 
 
-# future plans
+# future ideas
 
-some improvement ideas
+list of dreams which will probably never happen
 
 * the JS is a mess -- a ~~preact~~ rewrite would be nice
   * preferably without build dependencies like webpack/babel/node.js, maybe a python thing to assemble js files into main.js
