diff --git a/replit.md b/replit.md
index 7b60793c..090e9834 100644
--- a/replit.md
+++ b/replit.md
@@ -6,7 +6,9 @@ ThrillWiki is a community-driven web application for discovering, reviewing, and
 ## Recent Changes (October 8, 2025)
 
 ### Security Enhancements
-- **Fixed JWT Decoding Security Vulnerability:** Updated `cancel-email-change` Edge Function to properly handle base64url encoding used by JWT tokens. Replaced browser-specific decoding with a secure implementation that correctly normalizes URL-safe characters and adds proper padding.
+- **Enabled JWT Verification for Image Upload:** Changed `upload-image` Edge Function to `verify_jwt = true` in `supabase/config.toml`. This ensures Supabase validates JWT tokens before the function executes, preventing unauthorized access to image upload/delete operations.
+- **Replaced Manual JWT Decoding with Supabase Verification:** Updated `cancel-email-change` Edge Function to use Supabase's built-in `auth.getUser(token)` method with service role client instead of manual base64 decoding. This approach properly verifies JWT tokens using only runtime-available environment variables (SUPABASE_URL and SUPABASE_SERVICE_ROLE_KEY) while maintaining admin privileges for database operations.
+- **Made Geolocation API Configurable:** Updated `detect-location` Edge Function to use environment variables for geolocation service configuration. The API URL (`GEOLOCATION_API_URL`) and fields (`GEOLOCATION_API_FIELDS`) are now configurable, with sensible defaults (ip-api.com) for easier service switching and testing.
 - **Enhanced Error Handling:** Added comprehensive error handling to all Supabase Edge Functions with granular try-catch blocks for network requests, JSON parsing, and API responses. Improves reliability and provides detailed error messages for debugging.
 
 ## Recent Changes (October 7, 2025)