1 | # Changelog
|
2 |
|
3 | ## 3.22.0 - 2020-03-24
|
4 | ### Changed
|
5 | - Updated `helmet-csp` to v2.10.0
|
6 | - Add support for the `allow-downloads` sandbox directive. See [helmet-csp#103](https://github.com/helmetjs/csp/pull/103)
|
7 |
|
8 | ### Deprecated
|
9 | - `helmet.noCache` is deprecated. Use the `nocache` module instead. See [#215](https://github.com/helmetjs/helmet/issues/215)
|
10 |
|
11 | ## 3.21.3 - 2020-02-24
|
12 | ### Changed
|
13 | - Updated `helmet-csp` to v2.9.5
|
14 | - Updated `bowser` subdependency from 2.7.0 to 2.9.0
|
15 | - Fixed an issue some people were having when importing the `bowser` subdependency. See [helmet-csp#96](https://github.com/helmetjs/csp/issues/96) and [#101](https://github.com/helmetjs/csp/pull/101)
|
16 |
|
17 | ## 3.21.2 - 2019-10-21
|
18 | ### Changed
|
19 | - Updated `helmet-csp` to v2.9.4
|
20 | - Updated `bowser` subdependency from 2.6.1 to 2.7.0. See [helmet-csp#94](https://github.com/helmetjs/csp/pull/94)
|
21 |
|
22 | ## 3.21.1 - 2019-09-20
|
23 | ### Fixed
|
24 | - Updated `helmet-csp` to v2.9.2
|
25 | - Fixed a bug where a request from Firefox 4 could delete `default-src` from future responses
|
26 | - Fixed tablet PC detection by updating `bowser` subdependency to latest version
|
27 |
|
28 | ## 3.21.0 - 2019-09-04
|
29 | ### Added
|
30 | - Updated `x-xss-protection` to v1.3.0
|
31 | - Added `mode: null` to disable `mode=block`
|
32 |
|
33 | ### Changed
|
34 | - Updated `helmet-csp` to v2.9.1
|
35 | - Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#88](https://github.com/helmetjs/csp/pull/88)
|
36 |
|
37 | ## 3.20.1 - 2019-08-28
|
38 | ### Changed
|
39 | - Updated `helmet-csp` to v2.9.0
|
40 |
|
41 | ## 3.20.0 - 2019-07-24
|
42 | ### Changed
|
43 | - Updated `helmet-csp` to v2.8.0
|
44 |
|
45 | ## 3.19.0 - 2019-07-17
|
46 | ### Changed
|
47 | - Updated `dns-prefetch-control` to v0.2.0
|
48 | - Updated `dont-sniff-mimetype` to v1.1.0
|
49 | - Updated `helmet-crossdomain` to v0.4.0
|
50 | - Updated `hide-powered-by` to v1.1.0
|
51 | - Updated `x-xss-protection` to v1.2.0
|
52 |
|
53 | ## 3.18.0 - 2019-05-05
|
54 | ### Added
|
55 | - `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr`
|
56 |
|
57 | ### Changed
|
58 | - Updated `expect-ct` to v0.2.0
|
59 | - Updated `feature-policy` to v0.3.0
|
60 | - Updated `frameguard` to v3.1.0
|
61 | - Updated `nocache` to v2.1.0
|
62 |
|
63 | ## 3.17.0 - 2019-05-03
|
64 | ### Added
|
65 | - `referrerPolicy` now supports multiple values
|
66 |
|
67 | ### Changed
|
68 | - Updated `referrerPolicy` to v1.2.0
|
69 |
|
70 | ## 3.16.0 - 2019-03-10
|
71 | ### Added
|
72 | - Add email to `bugs` field in `package.json`
|
73 |
|
74 | ### Changed
|
75 | - Updated `hsts` to v2.2.0
|
76 | - Updated `ienoopen` to v1.1.0
|
77 | - Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format
|
78 | - Dropped support for Node <4. See [the commit](https://github.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information
|
79 | - Updated Adam Baldwin's contact information
|
80 |
|
81 | ### Deprecated
|
82 | - `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#22](https://github.com/helmetjs/hsts/issues/22) for more
|
83 | * The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#21](https://github.com/helmetjs/hsts/issues/21) for more
|
84 |
|
85 | ## 3.15.1 - 2019-02-10
|
86 | ### Deprecated
|
87 | - The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#180](https://github.com/helmetjs/helmet/issues/180) for more.
|
88 |
|
89 | ## 3.15.0 - 2018-11-07
|
90 | ### Added
|
91 | - `helmet.featurePolicy` now supports four new features
|
92 |
|
93 | ## 3.14.0 - 2018-10-09
|
94 | ### Added
|
95 | - `helmet.featurePolicy` middleware
|
96 |
|
97 | ## 3.13.0 - 2018-07-22
|
98 | ### Added
|
99 | - `helmet.permittedCrossDomainPolicies` middleware
|
100 |
|
101 | ## 3.12.2 - 2018-07-20
|
102 | ### Fixed
|
103 | - Removed `lodash.reduce` dependency from `csp`
|
104 |
|
105 | ## 3.12.1 - 2018-05-16
|
106 | ### Fixed
|
107 | - `expectCt` should use comma instead of semicolon as delimiter
|
108 |
|
109 | ## 3.12.0 - 2018-03-02
|
110 | ### Added
|
111 | - `xssFilter` now supports `reportUri` option
|
112 |
|
113 | ## 3.11.0 - 2018-02-09
|
114 | ### Added
|
115 | - Main Helmet middleware is now named to help with debugging
|
116 |
|
117 | ## 3.10.0 - 2018-01-23
|
118 | ### Added
|
119 | - `csp` now supports `prefix-src` directive
|
120 |
|
121 | ### Fixed
|
122 | - `csp` no longer loads JSON files internally, helping some module bundlers
|
123 | - `false` should be able to disable a CSP directive
|
124 |
|
125 | ## 3.9.0 - 2017-10-13
|
126 | ### Added
|
127 | - `csp` now supports `strict-dynamic` value
|
128 | - `csp` now supports `require-sri-for` directive
|
129 |
|
130 | ### Changed
|
131 | - Removed `connect` dependency
|
132 |
|
133 | ## 3.8.2 - 2017-09-27
|
134 | ### Changed
|
135 | - Updated `connect` dependency to latest
|
136 |
|
137 | ## 3.8.1 - 2017-07-28
|
138 | ### Fixed
|
139 | - `csp` does not automatically set `report-to` when setting `report-uri`
|
140 |
|
141 | ## 3.8.0 - 2017-07-21
|
142 | ### Changed
|
143 | - `hsts` no longer cares whether it's HTTPS and always sets the header
|
144 |
|
145 | ## 3.7.0 - 2017-07-21
|
146 | ### Added
|
147 | - `csp` now supports `report-to` directive
|
148 |
|
149 | ### Changed
|
150 | - Throw an error when used incorrectly
|
151 | - Add a few documentation files to `npmignore`
|
152 |
|
153 | ## 3.6.1 - 2017-05-21
|
154 | ### Changed
|
155 | - Bump `connect` version
|
156 |
|
157 | ## 3.6.0 - 2017-05-04
|
158 | ### Added
|
159 | - `expectCt` middleware for setting the `Expect-CT` header
|
160 |
|
161 | ## 3.5.0 - 2017-03-06
|
162 | ### Added
|
163 | - `csp` now supports the `worker-src` directive
|
164 |
|
165 | ## 3.4.1 - 2017-02-24
|
166 | ### Changed
|
167 | - Bump `connect` version
|
168 |
|
169 | ## 3.4.0 - 2017-01-13
|
170 | ### Added
|
171 | - `csp` now supports more `sandbox` directives
|
172 |
|
173 | ## 3.3.0 - 2016-12-31
|
174 | ### Added
|
175 | - `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives
|
176 |
|
177 | ### Changed
|
178 | - Bump `connect` version
|
179 |
|
180 | ## 3.2.0 - 2016-12-22
|
181 | ### Added
|
182 | - `csp` now allows `manifest-src` directive
|
183 |
|
184 | ## 3.1.0 - 2016-11-03
|
185 | ### Added
|
186 | - `csp` now allows `frame-src` directive
|
187 |
|
188 | ## 3.0.0 - 2016-10-28
|
189 | ### Changed
|
190 | - `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`.
|
191 | - Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything.
|
192 | - `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it.
|
193 | - In CSP, `reportOnly: true` no longer requires a `report-uri` to be set.
|
194 | - `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day)
|
195 | - `hsts`'s `maxAge` parameter is seconds, not milliseconds
|
196 | - `hsts` includes subdomains by default
|
197 | - `domain` parameter in `frameguard` cannot be empty
|
198 |
|
199 | ### Removed
|
200 | - `noEtag` option no longer present in `noCache`
|
201 | - iOS Chrome `connect-src` workaround in CSP module
|
202 |
|
203 | ## 2.3.0 - 2016-09-30
|
204 | ### Added
|
205 | - `hpkp` middleware now supports the `includeSubDomains` property with a capital D
|
206 |
|
207 | ### Fixed
|
208 | - `hpkp` was setting `includeSubdomains` instead of `includeSubDomains`
|
209 |
|
210 | ## 2.2.0 - 2016-09-16
|
211 | ### Added
|
212 | - `referrerPolicy` middleware
|
213 |
|
214 | ## 2.1.3 - 2016-09-07
|
215 | ### Changed
|
216 | - Top-level aliases (like `helmet.xssFilter`) are no longer dynamically required
|
217 |
|
218 | ## 2.1.2 - 2016-07-27
|
219 | ### Deprecated
|
220 | - `nocache`'s `noEtag` option is now deprecated
|
221 |
|
222 | ### Fixed
|
223 | - `csp` now better handles Firefox on mobile
|
224 |
|
225 | ## 2.1.1 - 2016-06-10
|
226 | ### Changed
|
227 | - Remove several dependencies from `helmet-csp`
|
228 |
|
229 | ### Fixed
|
230 | - `frameguard` had a documentation error about its default value
|
231 | - `frameguard` docs in main Helmet readme said `frameguard`, not `helmet.frameguard`
|
232 |
|
233 | ## 2.1.0 - 2016-05-18
|
234 | ### Added
|
235 | - `csp` lets you dynamically set `reportOnly`
|
236 |
|
237 | ## 2.0.0 - 2016-04-29
|
238 | ### Added
|
239 | - Pass configuration to enable/disable default middlewares
|
240 |
|
241 | ### Changed
|
242 | - `dnsPrefetchControl` middleware is now enabled by default
|
243 |
|
244 | ### Removed
|
245 | - No more module aliases. There is now just one way to include each middleware
|
246 | - `frameguard` can no longer be initialized with strings; you must use an object
|
247 |
|
248 | ### Fixed
|
249 | - Make `hpkp` lowercase in documentation
|
250 | - Update `hpkp` spec URL in readmes
|
251 | - Update `frameguard` header name in readme
|
252 |
|
253 | ## 1.3.0 - 2016-03-01
|
254 | ### Added
|
255 | - `hpkp` has a `setIf` option to conditionally set the header
|
256 |
|
257 | ## 1.2.0 - 2016-02-29
|
258 | ### Added
|
259 | - `csp` now has a `browserSniff` option to disable all user-agent sniffing
|
260 |
|
261 | ### Changed
|
262 | - `frameguard` can now be initialized with options
|
263 | - Add `npmignore` file to speed up installs slightly
|
264 |
|
265 | ## 1.1.0 - 2016-01-12
|
266 | ### Added
|
267 | - Code of conduct
|
268 | - `dnsPrefetchControl` middleware
|
269 |
|
270 | ### Fixed
|
271 | - `csp` readme had syntax errors
|
272 |
|
273 | ## 1.0.2 - 2016-01-08
|
274 | ### Fixed
|
275 | - `csp` wouldn't recognize `IE Mobile` browsers
|
276 | - `csp` had some errors in its readme
|
277 | - Main readme had a syntax error
|
278 |
|
279 | ## 1.0.1 - 2015-12-19
|
280 | ### Fixed
|
281 | - `csp` with no User Agent would cause errors
|
282 |
|
283 | ## 1.0.0 - 2015-12-18
|
284 | ### Added
|
285 | - `csp` module supports dynamically-generated values
|
286 |
|
287 | ### Changed
|
288 | - `csp` directives are now under the `directives` key
|
289 | - `hpkp`'s `Report-Only` header is now opt-in, not opt-out
|
290 | - Tweak readmes of every sub-repo
|
291 |
|
292 | ### Removed
|
293 | - `crossdomain` middleware
|
294 | - `csp` no longer throws errors when some directives aren't quoted (`'self'`, for example)
|
295 | - `maxage` option in the `hpkp` middleware
|
296 | - `safari5` option from `csp` module
|
297 |
|
298 | ### Fixed
|
299 | - Old Firefox Content-Security-Policy behavior for `unsafe-inline` and `unsafe-eval`
|
300 | - Dynamic `csp` policies is no longer recursive
|
301 |
|
302 | ## 0.15.0 - 2015-11-26
|
303 | ### Changed
|
304 | - `hpkp` allows a `report-uri` without the `Report-Only` header
|
305 |
|
306 | ## 0.14.0 - 2015-11-01
|
307 | ### Added
|
308 | - `nocache` now sends the `Surrogate-Control` header
|
309 |
|
310 | ### Changed
|
311 | - `nocache` no longer contains the `private` directive in the `Cache-Control` header
|
312 |
|
313 | ## 0.13.0 - 2015-10-23
|
314 | ### Added
|
315 | - `xssFilter` now has a function name
|
316 | - Added new CSP docs to readme
|
317 |
|
318 | ### Changed
|
319 | - HSTS option renamed from `includeSubdomains` to `includeSubDomains`
|
320 |
|
321 | ## 0.11.0 - 2015-09-18
|
322 | ### Added
|
323 | - `csp` now supports Microsoft Edge
|
324 | - CSP Level 2 support
|
325 |
|
326 | ### Changed
|
327 | - Updated `connect` to 3.4.0
|
328 | - Updated `depd` to 1.1.0
|
329 |
|
330 | ### Fixed
|
331 | - Added `license` key to `csp`'s `package.json`
|
332 | - Empty `csp` directives now support every directive, not just `sandbox`
|
333 |
|
334 | ## 0.10.0 - 2015-07-08
|
335 | ### Added
|
336 | - Add "Handling CSP violations" to `csp` readme
|
337 | - Add license to `package.json`
|
338 |
|
339 | ### Changed
|
340 | - `hpkp` had a link to the wrong place in its readme
|
341 | - `hpkp` requires 2 or more pins
|
342 |
|
343 | ### Fixed
|
344 | - `hpkp` might have miscalculated `maxAge` slightly wrong
|
345 |
|
346 | ## 0.9.0 - 2015-04-24
|
347 | ### Changed
|
348 | - `nocache` adds `private` to its `Cache-Control` directive
|
349 | - Added a description to `package.json`
|
350 |
|
351 | ## 0.8.0 - 2015-04-21
|
352 | ### Changed
|
353 | - Removed hefty Lodash dependency from HSTS and CSP
|
354 | - Updated string detection module in Frameguard
|
355 | - Changed readme slightly to better reflect project's focus
|
356 |
|
357 | ### Deprecated
|
358 | - Deprecated `crossdomain` middleware
|
359 |
|
360 | ### Removed
|
361 | - `crossdomain` is no longer a default middleware
|
362 |
|
363 | ## 0.7.1 - 2015-03-23
|
364 | ### Changed
|
365 | - Updated all outdated dependencies (insofar as possible)
|
366 | - HSTS now uses Lodash like all the rest of the libraries
|
367 |
|
368 | ## 0.7.0 - 2015-03-05
|
369 | ### Added
|
370 | - `hpkp` middleware
|
371 |
|
372 | ### Changed
|
373 | - Travis CI should test 0.10 and 0.12
|
374 | - Minor code cleanup
|
375 |
|
376 | ## 0.6.2 - 2015-03-01
|
377 | ### Changed
|
378 | - Improved `xssFilter` performance
|
379 | - Updated Lodash versions
|
380 |
|
381 | ## 0.6.1 - 2015-02-13
|
382 | ### Added
|
383 | - "Other recommended modules" in README
|
384 |
|
385 | ### Changed
|
386 | - Updated Lodash version
|
387 |
|
388 | ### Fixed
|
389 | - `frameguard` middleware exported a function called `xframe`
|
390 |
|
391 | ## 0.6.0 - 2015-01-21
|
392 | ### Added
|
393 | - You can disable `csp` for Android
|
394 |
|
395 | ### Fixed
|
396 | - `csp` on Chrome Mobile on Android and iOS
|
397 |
|
398 | ## 0.5.4 - 2014-12-21
|
399 | ### Changed
|
400 | - `nocache` should force revalidation
|
401 |
|
402 | ## 0.5.3 - 2014-12-08
|
403 | ### Changed
|
404 | - `platform` version in CSP and X-XSS-Protection
|
405 |
|
406 | ### Fixed
|
407 | - Updated bad wording in frameguard docs
|
408 |
|
409 | ## 0.5.2 - 2014-11-16
|
410 | ### Changed
|
411 | - Updated Connect version
|
412 |
|
413 | ### Fixed
|
414 | - Fixed minor `csp` bugfixes
|
415 |
|
416 | ## 0.5.1 - 2014-11-09
|
417 | ### Changed
|
418 | - Updated URLs in `package.json` for new URL
|
419 |
|
420 | ### Fixed
|
421 | - CSP would set all headers forever after receiving an unknown user agent
|
422 |
|
423 | ## 0.5.0 - 2014-10-28
|
424 | ### Added
|
425 | - Most middlewares have some aliases now
|
426 |
|
427 | ### Changed
|
428 | - `xframe` now called `frameguard` (though `xframe` still works)
|
429 | - `frameguard` chooses sameorigin by default
|
430 | - `frameguard` understands "SAME-ORIGIN" in addition to "SAMEORIGIN"
|
431 | - `nocache` removed from default middleware stack
|
432 | - Middleware split out into their own modules
|
433 | - Documentation
|
434 | - Updated supported Node version to at least 0.10.0
|
435 | - Bumped Connect version
|
436 |
|
437 | ### Removed
|
438 | - Deprecation warnings
|
439 |
|
440 | ### Fixed
|
441 | - Readme link was broken
|
442 |
|
443 | ## 0.4.2 - 2014-10-16
|
444 | ### Added
|
445 | - Support preload in HSTS header
|
446 |
|
447 | ## 0.4.1 - 2014-08-24
|
448 | ### Added
|
449 | - Use [helmet-crossdomain](https://github.com/helmetjs/crossdomain) to test the waters
|
450 | - 2 spaces instead of 4 throughout the code
|
451 |
|
452 | ## 0.4.0 - 2014-07-17
|
453 | ### Added
|
454 | - `nocache` now sets the Expires and Pragma headers
|
455 | - `nocache` now allows you to crush ETags
|
456 |
|
457 | ### Changed
|
458 | - Improved the docs for nosniff
|
459 | - Reverted HSTS behavior of requiring a specified max-age
|
460 |
|
461 | ### Fixed
|
462 | - Allow HSTS to have a max-age of 0
|
463 |
|
464 | ## 0.3.2 - 2014-06-30
|
465 | ### Added
|
466 | - All middleware functions are named
|
467 | - Throw error with non-positive HSTS max-age
|
468 |
|
469 | ### Changed
|
470 | - Added semicolons in README
|
471 | - Make some Errors more specific
|
472 |
|
473 | ### Removed
|
474 | - Removed all comment headers; refer to the readme
|
475 |
|
476 | ### Fixed
|
477 | - `helmet()` was having issues
|
478 | - Fixed Syntax errors in README
|
479 |
|
480 | This changelog was created after the release of 0.3.1.
|
481 |
|
\ | No newline at end of file |