1 | # Changelog
|
2 |
|
3 | ## 4.6.0 - 2021-05-01
|
4 |
|
5 | ### Added
|
6 |
|
7 | - `helmet.contentSecurityPolicy`: the `useDefaults` option, defaulting to `false`, lets you selectively override defaults more easily
|
8 | - Explicitly define TypeScript types in `package.json`. See [#303](https://github.com/helmetjs/helmet/pull/303)
|
9 |
|
10 | ## 4.5.0 - 2021-04-17
|
11 |
|
12 | ### Added
|
13 |
|
14 | - `helmet.crossOriginEmbedderPolicy`: a new middleware for the `Cross-Origin-Embedder-Policy` header, disabled by default
|
15 | - `helmet.crossOriginOpenerPolicy`: a new middleware for the `Cross-Origin-Opener-Policy` header, disabled by default
|
16 | - `helmet.crossOriginResourcePolicy`: a new middleware for the `Cross-Origin-Resource-Policy` header, disabled by default
|
17 |
|
18 | ### Changed
|
19 |
|
20 | - `true` enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default.
|
21 | - Log a warning when passing options to `originAgentCluster` at the top level
|
22 |
|
23 | ### Fixed
|
24 |
|
25 | - Incorrect documentation
|
26 |
|
27 | ## 4.4.1 - 2021-01-18
|
28 |
|
29 | ### Changed
|
30 |
|
31 | - Shrink the published package by about 2.5 kB
|
32 |
|
33 | ## 4.4.0 - 2021-01-17
|
34 |
|
35 | ### Added
|
36 |
|
37 | - `helmet.originAgentCluster`: a new middleware for the `Origin-Agent-Cluster` header, disabled by default
|
38 |
|
39 | ## 4.3.1 - 2020-12-27
|
40 |
|
41 | ### Fixed
|
42 |
|
43 | - `helmet.contentSecurityPolicy`: broken TypeScript types. See [#283](https://github.com/helmetjs/helmet/issues/283)
|
44 |
|
45 | ## 4.3.0 - 2020-12-27
|
46 |
|
47 | ### Added
|
48 |
|
49 | - `helmet.contentSecurityPolicy`: setting the `default-src` to `helmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc` disables it
|
50 |
|
51 | ### Changed
|
52 |
|
53 | - `helmet.frameguard`: slightly improved error messages for non-strings
|
54 |
|
55 | ## 4.2.0 - 2020-11-01
|
56 |
|
57 | ### Added
|
58 |
|
59 | - `helmet.contentSecurityPolicy`: get the default directives with `contentSecurityPolicy.getDefaultDirectives()`
|
60 |
|
61 | ### Changed
|
62 |
|
63 | - `helmet()` now supports objects that don't have `Object.prototype` in their chain, such as `Object.create(null)`, as options
|
64 | - `helmet.expectCt`: `max-age` is now first. See [#264](https://github.com/helmetjs/helmet/pull/264)
|
65 |
|
66 | ## 4.1.1 - 2020-09-10
|
67 |
|
68 | ### Changed
|
69 |
|
70 | - Fixed a few errors in the README
|
71 |
|
72 | ## 4.1.0 - 2020-08-15
|
73 |
|
74 | ### Added
|
75 |
|
76 | - `helmet.contentSecurityPolicy`:
|
77 | - Directive values can now include functions, as they could in Helmet 3. See [#243](https://github.com/helmetjs/helmet/issues/243)
|
78 |
|
79 | ### Changed
|
80 |
|
81 | - Helmet should now play more nicely with TypeScript
|
82 |
|
83 | ### Removed
|
84 |
|
85 | - The `HelmetOptions` interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see [this comment](https://github.com/helmetjs/helmet/issues/235#issuecomment-674016883)
|
86 |
|
87 | ## 4.0.0 - 2020-08-02
|
88 |
|
89 | See the [Helmet 4 upgrade guide](https://github.com/helmetjs/helmet/wiki/Helmet-4-upgrade-guide) for help upgrading from Helmet 3.
|
90 |
|
91 | ### Added
|
92 |
|
93 | - `helmet.contentSecurityPolicy`:
|
94 | - If no `default-src` directive is supplied, an error is thrown
|
95 | - Directive lists can be any iterable, not just arrays
|
96 |
|
97 | ### Changed
|
98 |
|
99 | - This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
|
100 | - `helmet.contentSecurityPolicy`:
|
101 | - There is now a default set of directives if none are supplied
|
102 | - Duplicate keys now throw an error. See [helmetjs/csp#73](https://github.com/helmetjs/csp/issues/73)
|
103 | - This middleware is more lenient, allowing more directive names or values
|
104 | - `helmet.xssFilter` now disables the buggy XSS filter by default. See [#230](https://github.com/helmetjs/helmet/issues/230)
|
105 |
|
106 | ### Removed
|
107 |
|
108 | - Dropped support for old Node versions. Node 10+ is now required
|
109 | - `helmet.featurePolicy`. If you still need it, use the `feature-policy` package on npm.
|
110 | - `helmet.hpkp`. If you still need it, use the `hpkp` package on npm.
|
111 | - `helmet.noCache`. If you still need it, use the `nocache` package on npm.
|
112 | - `helmet.contentSecurityPolicy`:
|
113 | - Removed browser sniffing (including the `browserSniff` and `disableAndroid` parameters). See [helmetjs/csp#97](https://github.com/helmetjs/csp/issues/97)
|
114 | - Removed conditional support. This includes directive functions and support for a function as the `reportOnly`. [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware)
|
115 | - Removed a lot of checks—you should be checking your CSP with a different tool
|
116 | - Removed support for legacy headers (and therefore the `setAllHeaders` parameter). [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Setting-legacy-Content-Security-Policy-headers-in-Helmet-4)
|
117 | - Removed the `loose` option
|
118 | - Removed support for functions as directive values. You must supply an iterable of strings
|
119 | - `helmet.frameguard`:
|
120 | - Dropped support for the `ALLOW-FROM` action. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)
|
121 | - `helmet.hidePoweredBy` no longer accepts arguments. See [this article](https://github.com/helmetjs/helmet/wiki/How-to-set-a-custom-X%E2%80%93Powered%E2%80%93By-header) to see how to replicate the removed behavior. See [#224](https://github.com/helmetjs/helmet/issues/224).
|
122 | - `helmet.hsts`:
|
123 | - Dropped support for `includeSubdomains` with a lowercase D. See [#231](https://github.com/helmetjs/helmet/issues/231)
|
124 | - Dropped support for `setIf`. [Read this if you need help.](https://github.com/helmetjs/helmet/wiki/Conditionally-using-middleware) See [#232](https://github.com/helmetjs/helmet/issues/232)
|
125 | - `helmet.xssFilter` no longer accepts options. Read ["How to disable blocking with X-XSS-Protection"](https://github.com/helmetjs/helmet/wiki/How-to-disable-blocking-with-X%E2%80%93XSS%E2%80%93Protection) and ["How to enable the `report` directive with X-XSS-Protection"](https://github.com/helmetjs/helmet/wiki/How-to-enable-the-%60report%60-directive-with-X%E2%80%93XSS%E2%80%93Protection) if you need the legacy behavior.
|
126 |
|
127 | ## 3.23.3 - 2020-06-26
|
128 |
|
129 | ### Changed
|
130 |
|
131 | - `helmet.expectCt` is no longer a separate package. This should have no effect on end users.
|
132 | - `helmet.frameguard` is no longer a separate package. This should have no effect on end users.
|
133 |
|
134 | ## 3.23.2 - 2020-06-23
|
135 |
|
136 | ### Changed
|
137 |
|
138 | - `helmet.dnsPrefetchControl` is no longer a separate package. This should have no effect on end users.
|
139 |
|
140 | ## 3.23.1 - 2020-06-16
|
141 |
|
142 | ### Changed
|
143 |
|
144 | - `helmet.ieNoOpen` is no longer a separate package. This should have no effect on end users.
|
145 |
|
146 | ## 3.23.0 - 2020-06-12
|
147 |
|
148 | ### Deprecated
|
149 |
|
150 | - `helmet.featurePolicy` is deprecated. Use the `feature-policy` module instead.
|
151 |
|
152 | ## 3.22.1 - 2020-06-10
|
153 |
|
154 | ### Changed
|
155 |
|
156 | - Rewrote internals in TypeScript. This should have no effect on end users.
|
157 |
|
158 | ## 3.22.0 - 2020-03-24
|
159 |
|
160 | ### Changed
|
161 |
|
162 | - Updated `helmet-csp` to v2.10.0
|
163 | - Add support for the `allow-downloads` sandbox directive. See [helmet-csp#103](https://github.com/helmetjs/csp/pull/103)
|
164 |
|
165 | ### Deprecated
|
166 |
|
167 | - `helmet.noCache` is deprecated. Use the `nocache` module instead. See [#215](https://github.com/helmetjs/helmet/issues/215)
|
168 |
|
169 | ## 3.21.3 - 2020-02-24
|
170 |
|
171 | ### Changed
|
172 |
|
173 | - Updated `helmet-csp` to v2.9.5
|
174 | - Updated `bowser` subdependency from 2.7.0 to 2.9.0
|
175 | - Fixed an issue some people were having when importing the `bowser` subdependency. See [helmet-csp#96](https://github.com/helmetjs/csp/issues/96) and [#101](https://github.com/helmetjs/csp/pull/101)
|
176 |
|
177 | ## 3.21.2 - 2019-10-21
|
178 |
|
179 | ### Changed
|
180 |
|
181 | - Updated `helmet-csp` to v2.9.4
|
182 | - Updated `bowser` subdependency from 2.6.1 to 2.7.0. See [helmet-csp#94](https://github.com/helmetjs/csp/pull/94)
|
183 |
|
184 | ## 3.21.1 - 2019-09-20
|
185 |
|
186 | ### Fixed
|
187 |
|
188 | - Updated `helmet-csp` to v2.9.2
|
189 | - Fixed a bug where a request from Firefox 4 could delete `default-src` from future responses
|
190 | - Fixed tablet PC detection by updating `bowser` subdependency to latest version
|
191 |
|
192 | ## 3.21.0 - 2019-09-04
|
193 |
|
194 | ### Added
|
195 |
|
196 | - Updated `x-xss-protection` to v1.3.0
|
197 | - Added `mode: null` to disable `mode=block`
|
198 |
|
199 | ### Changed
|
200 |
|
201 | - Updated `helmet-csp` to v2.9.1
|
202 | - Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#88](https://github.com/helmetjs/csp/pull/88)
|
203 |
|
204 | ## 3.20.1 - 2019-08-28
|
205 |
|
206 | ### Changed
|
207 |
|
208 | - Updated `helmet-csp` to v2.9.0
|
209 |
|
210 | ## 3.20.0 - 2019-07-24
|
211 |
|
212 | ### Changed
|
213 |
|
214 | - Updated `helmet-csp` to v2.8.0
|
215 |
|
216 | ## 3.19.0 - 2019-07-17
|
217 |
|
218 | ### Changed
|
219 |
|
220 | - Updated `dns-prefetch-control` to v0.2.0
|
221 | - Updated `dont-sniff-mimetype` to v1.1.0
|
222 | - Updated `helmet-crossdomain` to v0.4.0
|
223 | - Updated `hide-powered-by` to v1.1.0
|
224 | - Updated `x-xss-protection` to v1.2.0
|
225 |
|
226 | ## 3.18.0 - 2019-05-05
|
227 |
|
228 | ### Added
|
229 |
|
230 | - `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr`
|
231 |
|
232 | ### Changed
|
233 |
|
234 | - Updated `expect-ct` to v0.2.0
|
235 | - Updated `feature-policy` to v0.3.0
|
236 | - Updated `frameguard` to v3.1.0
|
237 | - Updated `nocache` to v2.1.0
|
238 |
|
239 | ## 3.17.0 - 2019-05-03
|
240 |
|
241 | ### Added
|
242 |
|
243 | - `referrerPolicy` now supports multiple values
|
244 |
|
245 | ### Changed
|
246 |
|
247 | - Updated `referrerPolicy` to v1.2.0
|
248 |
|
249 | ## 3.16.0 - 2019-03-10
|
250 |
|
251 | ### Added
|
252 |
|
253 | - Add email to `bugs` field in `package.json`
|
254 |
|
255 | ### Changed
|
256 |
|
257 | - Updated `hsts` to v2.2.0
|
258 | - Updated `ienoopen` to v1.1.0
|
259 | - Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format
|
260 | - Dropped support for Node <4. See [the commit](https://github.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information
|
261 | - Updated Adam Baldwin's contact information
|
262 |
|
263 | ### Deprecated
|
264 |
|
265 | - `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#22](https://github.com/helmetjs/hsts/issues/22) for more
|
266 |
|
267 | * The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#21](https://github.com/helmetjs/hsts/issues/21) for more
|
268 |
|
269 | ## 3.15.1 - 2019-02-10
|
270 |
|
271 | ### Deprecated
|
272 |
|
273 | - The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#180](https://github.com/helmetjs/helmet/issues/180) for more.
|
274 |
|
275 | ## 3.15.0 - 2018-11-07
|
276 |
|
277 | ### Added
|
278 |
|
279 | - `helmet.featurePolicy` now supports four new features
|
280 |
|
281 | ## 3.14.0 - 2018-10-09
|
282 |
|
283 | ### Added
|
284 |
|
285 | - `helmet.featurePolicy` middleware
|
286 |
|
287 | ## 3.13.0 - 2018-07-22
|
288 |
|
289 | ### Added
|
290 |
|
291 | - `helmet.permittedCrossDomainPolicies` middleware
|
292 |
|
293 | ## 3.12.2 - 2018-07-20
|
294 |
|
295 | ### Fixed
|
296 |
|
297 | - Removed `lodash.reduce` dependency from `csp`
|
298 |
|
299 | ## 3.12.1 - 2018-05-16
|
300 |
|
301 | ### Fixed
|
302 |
|
303 | - `expectCt` should use comma instead of semicolon as delimiter
|
304 |
|
305 | ## 3.12.0 - 2018-03-02
|
306 |
|
307 | ### Added
|
308 |
|
309 | - `xssFilter` now supports `reportUri` option
|
310 |
|
311 | ## 3.11.0 - 2018-02-09
|
312 |
|
313 | ### Added
|
314 |
|
315 | - Main Helmet middleware is now named to help with debugging
|
316 |
|
317 | ## 3.10.0 - 2018-01-23
|
318 |
|
319 | ### Added
|
320 |
|
321 | - `csp` now supports `prefix-src` directive
|
322 |
|
323 | ### Fixed
|
324 |
|
325 | - `csp` no longer loads JSON files internally, helping some module bundlers
|
326 | - `false` should be able to disable a CSP directive
|
327 |
|
328 | ## 3.9.0 - 2017-10-13
|
329 |
|
330 | ### Added
|
331 |
|
332 | - `csp` now supports `strict-dynamic` value
|
333 | - `csp` now supports `require-sri-for` directive
|
334 |
|
335 | ### Changed
|
336 |
|
337 | - Removed `connect` dependency
|
338 |
|
339 | ## 3.8.2 - 2017-09-27
|
340 |
|
341 | ### Changed
|
342 |
|
343 | - Updated `connect` dependency to latest
|
344 |
|
345 | ## 3.8.1 - 2017-07-28
|
346 |
|
347 | ### Fixed
|
348 |
|
349 | - `csp` does not automatically set `report-to` when setting `report-uri`
|
350 |
|
351 | ## 3.8.0 - 2017-07-21
|
352 |
|
353 | ### Changed
|
354 |
|
355 | - `hsts` no longer cares whether it's HTTPS and always sets the header
|
356 |
|
357 | ## 3.7.0 - 2017-07-21
|
358 |
|
359 | ### Added
|
360 |
|
361 | - `csp` now supports `report-to` directive
|
362 |
|
363 | ### Changed
|
364 |
|
365 | - Throw an error when used incorrectly
|
366 | - Add a few documentation files to `npmignore`
|
367 |
|
368 | ## 3.6.1 - 2017-05-21
|
369 |
|
370 | ### Changed
|
371 |
|
372 | - Bump `connect` version
|
373 |
|
374 | ## 3.6.0 - 2017-05-04
|
375 |
|
376 | ### Added
|
377 |
|
378 | - `expectCt` middleware for setting the `Expect-CT` header
|
379 |
|
380 | ## 3.5.0 - 2017-03-06
|
381 |
|
382 | ### Added
|
383 |
|
384 | - `csp` now supports the `worker-src` directive
|
385 |
|
386 | ## 3.4.1 - 2017-02-24
|
387 |
|
388 | ### Changed
|
389 |
|
390 | - Bump `connect` version
|
391 |
|
392 | ## 3.4.0 - 2017-01-13
|
393 |
|
394 | ### Added
|
395 |
|
396 | - `csp` now supports more `sandbox` directives
|
397 |
|
398 | ## 3.3.0 - 2016-12-31
|
399 |
|
400 | ### Added
|
401 |
|
402 | - `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives
|
403 |
|
404 | ### Changed
|
405 |
|
406 | - Bump `connect` version
|
407 |
|
408 | ## 3.2.0 - 2016-12-22
|
409 |
|
410 | ### Added
|
411 |
|
412 | - `csp` now allows `manifest-src` directive
|
413 |
|
414 | ## 3.1.0 - 2016-11-03
|
415 |
|
416 | ### Added
|
417 |
|
418 | - `csp` now allows `frame-src` directive
|
419 |
|
420 | ## 3.0.0 - 2016-10-28
|
421 |
|
422 | ### Changed
|
423 |
|
424 | - `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`.
|
425 | - Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything.
|
426 | - `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it.
|
427 | - In CSP, `reportOnly: true` no longer requires a `report-uri` to be set.
|
428 | - `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day)
|
429 | - `hsts`'s `maxAge` parameter is seconds, not milliseconds
|
430 | - `hsts` includes subdomains by default
|
431 | - `domain` parameter in `frameguard` cannot be empty
|
432 |
|
433 | ### Removed
|
434 |
|
435 | - `noEtag` option no longer present in `noCache`
|
436 | - iOS Chrome `connect-src` workaround in CSP module
|
437 |
|
438 | ## 2.3.0 - 2016-09-30
|
439 |
|
440 | ### Added
|
441 |
|
442 | - `hpkp` middleware now supports the `includeSubDomains` property with a capital D
|
443 |
|
444 | ### Fixed
|
445 |
|
446 | - `hpkp` was setting `includeSubdomains` instead of `includeSubDomains`
|
447 |
|
448 | ## 2.2.0 - 2016-09-16
|
449 |
|
450 | ### Added
|
451 |
|
452 | - `referrerPolicy` middleware
|
453 |
|
454 | ## 2.1.3 - 2016-09-07
|
455 |
|
456 | ### Changed
|
457 |
|
458 | - Top-level aliases (like `helmet.xssFilter`) are no longer dynamically required
|
459 |
|
460 | ## 2.1.2 - 2016-07-27
|
461 |
|
462 | ### Deprecated
|
463 |
|
464 | - `nocache`'s `noEtag` option is now deprecated
|
465 |
|
466 | ### Fixed
|
467 |
|
468 | - `csp` now better handles Firefox on mobile
|
469 |
|
470 | ## 2.1.1 - 2016-06-10
|
471 |
|
472 | ### Changed
|
473 |
|
474 | - Remove several dependencies from `helmet-csp`
|
475 |
|
476 | ### Fixed
|
477 |
|
478 | - `frameguard` had a documentation error about its default value
|
479 | - `frameguard` docs in main Helmet readme said `frameguard`, not `helmet.frameguard`
|
480 |
|
481 | ## 2.1.0 - 2016-05-18
|
482 |
|
483 | ### Added
|
484 |
|
485 | - `csp` lets you dynamically set `reportOnly`
|
486 |
|
487 | ## 2.0.0 - 2016-04-29
|
488 |
|
489 | ### Added
|
490 |
|
491 | - Pass configuration to enable/disable default middlewares
|
492 |
|
493 | ### Changed
|
494 |
|
495 | - `dnsPrefetchControl` middleware is now enabled by default
|
496 |
|
497 | ### Removed
|
498 |
|
499 | - No more module aliases. There is now just one way to include each middleware
|
500 | - `frameguard` can no longer be initialized with strings; you must use an object
|
501 |
|
502 | ### Fixed
|
503 |
|
504 | - Make `hpkp` lowercase in documentation
|
505 | - Update `hpkp` spec URL in readmes
|
506 | - Update `frameguard` header name in readme
|
507 |
|
508 | ## 1.3.0 - 2016-03-01
|
509 |
|
510 | ### Added
|
511 |
|
512 | - `hpkp` has a `setIf` option to conditionally set the header
|
513 |
|
514 | ## 1.2.0 - 2016-02-29
|
515 |
|
516 | ### Added
|
517 |
|
518 | - `csp` now has a `browserSniff` option to disable all user-agent sniffing
|
519 |
|
520 | ### Changed
|
521 |
|
522 | - `frameguard` can now be initialized with options
|
523 | - Add `npmignore` file to speed up installs slightly
|
524 |
|
525 | ## 1.1.0 - 2016-01-12
|
526 |
|
527 | ### Added
|
528 |
|
529 | - Code of conduct
|
530 | - `dnsPrefetchControl` middleware
|
531 |
|
532 | ### Fixed
|
533 |
|
534 | - `csp` readme had syntax errors
|
535 |
|
536 | ## 1.0.2 - 2016-01-08
|
537 |
|
538 | ### Fixed
|
539 |
|
540 | - `csp` wouldn't recognize `IE Mobile` browsers
|
541 | - `csp` had some errors in its readme
|
542 | - Main readme had a syntax error
|
543 |
|
544 | ## 1.0.1 - 2015-12-19
|
545 |
|
546 | ### Fixed
|
547 |
|
548 | - `csp` with no User Agent would cause errors
|
549 |
|
550 | ## 1.0.0 - 2015-12-18
|
551 |
|
552 | ### Added
|
553 |
|
554 | - `csp` module supports dynamically-generated values
|
555 |
|
556 | ### Changed
|
557 |
|
558 | - `csp` directives are now under the `directives` key
|
559 | - `hpkp`'s `Report-Only` header is now opt-in, not opt-out
|
560 | - Tweak readmes of every sub-repo
|
561 |
|
562 | ### Removed
|
563 |
|
564 | - `crossdomain` middleware
|
565 | - `csp` no longer throws errors when some directives aren't quoted (`'self'`, for example)
|
566 | - `maxage` option in the `hpkp` middleware
|
567 | - `safari5` option from `csp` module
|
568 |
|
569 | ### Fixed
|
570 |
|
571 | - Old Firefox Content-Security-Policy behavior for `unsafe-inline` and `unsafe-eval`
|
572 | - Dynamic `csp` policies is no longer recursive
|
573 |
|
574 | ## 0.15.0 - 2015-11-26
|
575 |
|
576 | ### Changed
|
577 |
|
578 | - `hpkp` allows a `report-uri` without the `Report-Only` header
|
579 |
|
580 | ## 0.14.0 - 2015-11-01
|
581 |
|
582 | ### Added
|
583 |
|
584 | - `nocache` now sends the `Surrogate-Control` header
|
585 |
|
586 | ### Changed
|
587 |
|
588 | - `nocache` no longer contains the `private` directive in the `Cache-Control` header
|
589 |
|
590 | ## 0.13.0 - 2015-10-23
|
591 |
|
592 | ### Added
|
593 |
|
594 | - `xssFilter` now has a function name
|
595 | - Added new CSP docs to readme
|
596 |
|
597 | ### Changed
|
598 |
|
599 | - HSTS option renamed from `includeSubdomains` to `includeSubDomains`
|
600 |
|
601 | ## 0.11.0 - 2015-09-18
|
602 |
|
603 | ### Added
|
604 |
|
605 | - `csp` now supports Microsoft Edge
|
606 | - CSP Level 2 support
|
607 |
|
608 | ### Changed
|
609 |
|
610 | - Updated `connect` to 3.4.0
|
611 | - Updated `depd` to 1.1.0
|
612 |
|
613 | ### Fixed
|
614 |
|
615 | - Added `license` key to `csp`'s `package.json`
|
616 | - Empty `csp` directives now support every directive, not just `sandbox`
|
617 |
|
618 | ## 0.10.0 - 2015-07-08
|
619 |
|
620 | ### Added
|
621 |
|
622 | - Add "Handling CSP violations" to `csp` readme
|
623 | - Add license to `package.json`
|
624 |
|
625 | ### Changed
|
626 |
|
627 | - `hpkp` had a link to the wrong place in its readme
|
628 | - `hpkp` requires 2 or more pins
|
629 |
|
630 | ### Fixed
|
631 |
|
632 | - `hpkp` might have miscalculated `maxAge` slightly wrong
|
633 |
|
634 | ## 0.9.0 - 2015-04-24
|
635 |
|
636 | ### Changed
|
637 |
|
638 | - `nocache` adds `private` to its `Cache-Control` directive
|
639 | - Added a description to `package.json`
|
640 |
|
641 | ## 0.8.0 - 2015-04-21
|
642 |
|
643 | ### Changed
|
644 |
|
645 | - Removed hefty Lodash dependency from HSTS and CSP
|
646 | - Updated string detection module in Frameguard
|
647 | - Changed readme slightly to better reflect project's focus
|
648 |
|
649 | ### Deprecated
|
650 |
|
651 | - Deprecated `crossdomain` middleware
|
652 |
|
653 | ### Removed
|
654 |
|
655 | - `crossdomain` is no longer a default middleware
|
656 |
|
657 | ## 0.7.1 - 2015-03-23
|
658 |
|
659 | ### Changed
|
660 |
|
661 | - Updated all outdated dependencies (insofar as possible)
|
662 | - HSTS now uses Lodash like all the rest of the libraries
|
663 |
|
664 | ## 0.7.0 - 2015-03-05
|
665 |
|
666 | ### Added
|
667 |
|
668 | - `hpkp` middleware
|
669 |
|
670 | ### Changed
|
671 |
|
672 | - Travis CI should test 0.10 and 0.12
|
673 | - Minor code cleanup
|
674 |
|
675 | ## 0.6.2 - 2015-03-01
|
676 |
|
677 | ### Changed
|
678 |
|
679 | - Improved `xssFilter` performance
|
680 | - Updated Lodash versions
|
681 |
|
682 | ## 0.6.1 - 2015-02-13
|
683 |
|
684 | ### Added
|
685 |
|
686 | - "Other recommended modules" in README
|
687 |
|
688 | ### Changed
|
689 |
|
690 | - Updated Lodash version
|
691 |
|
692 | ### Fixed
|
693 |
|
694 | - `frameguard` middleware exported a function called `xframe`
|
695 |
|
696 | ## 0.6.0 - 2015-01-21
|
697 |
|
698 | ### Added
|
699 |
|
700 | - You can disable `csp` for Android
|
701 |
|
702 | ### Fixed
|
703 |
|
704 | - `csp` on Chrome Mobile on Android and iOS
|
705 |
|
706 | ## 0.5.4 - 2014-12-21
|
707 |
|
708 | ### Changed
|
709 |
|
710 | - `nocache` should force revalidation
|
711 |
|
712 | ## 0.5.3 - 2014-12-08
|
713 |
|
714 | ### Changed
|
715 |
|
716 | - `platform` version in CSP and X-XSS-Protection
|
717 |
|
718 | ### Fixed
|
719 |
|
720 | - Updated bad wording in frameguard docs
|
721 |
|
722 | ## 0.5.2 - 2014-11-16
|
723 |
|
724 | ### Changed
|
725 |
|
726 | - Updated Connect version
|
727 |
|
728 | ### Fixed
|
729 |
|
730 | - Fixed minor `csp` bugfixes
|
731 |
|
732 | ## 0.5.1 - 2014-11-09
|
733 |
|
734 | ### Changed
|
735 |
|
736 | - Updated URLs in `package.json` for new URL
|
737 |
|
738 | ### Fixed
|
739 |
|
740 | - CSP would set all headers forever after receiving an unknown user agent
|
741 |
|
742 | ## 0.5.0 - 2014-10-28
|
743 |
|
744 | ### Added
|
745 |
|
746 | - Most middlewares have some aliases now
|
747 |
|
748 | ### Changed
|
749 |
|
750 | - `xframe` now called `frameguard` (though `xframe` still works)
|
751 | - `frameguard` chooses sameorigin by default
|
752 | - `frameguard` understands "SAME-ORIGIN" in addition to "SAMEORIGIN"
|
753 | - `nocache` removed from default middleware stack
|
754 | - Middleware split out into their own modules
|
755 | - Documentation
|
756 | - Updated supported Node version to at least 0.10.0
|
757 | - Bumped Connect version
|
758 |
|
759 | ### Removed
|
760 |
|
761 | - Deprecation warnings
|
762 |
|
763 | ### Fixed
|
764 |
|
765 | - Readme link was broken
|
766 |
|
767 | ## 0.4.2 - 2014-10-16
|
768 |
|
769 | ### Added
|
770 |
|
771 | - Support preload in HSTS header
|
772 |
|
773 | ## 0.4.1 - 2014-08-24
|
774 |
|
775 | ### Added
|
776 |
|
777 | - Use [helmet-crossdomain](https://github.com/helmetjs/crossdomain) to test the waters
|
778 | - 2 spaces instead of 4 throughout the code
|
779 |
|
780 | ## 0.4.0 - 2014-07-17
|
781 |
|
782 | ### Added
|
783 |
|
784 | - `nocache` now sets the Expires and Pragma headers
|
785 | - `nocache` now allows you to crush ETags
|
786 |
|
787 | ### Changed
|
788 |
|
789 | - Improved the docs for nosniff
|
790 | - Reverted HSTS behavior of requiring a specified max-age
|
791 |
|
792 | ### Fixed
|
793 |
|
794 | - Allow HSTS to have a max-age of 0
|
795 |
|
796 | ## 0.3.2 - 2014-06-30
|
797 |
|
798 | ### Added
|
799 |
|
800 | - All middleware functions are named
|
801 | - Throw error with non-positive HSTS max-age
|
802 |
|
803 | ### Changed
|
804 |
|
805 | - Added semicolons in README
|
806 | - Make some Errors more specific
|
807 |
|
808 | ### Removed
|
809 |
|
810 | - Removed all comment headers; refer to the readme
|
811 |
|
812 | ### Fixed
|
813 |
|
814 | - `helmet()` was having issues
|
815 | - Fixed Syntax errors in README
|
816 |
|
817 | This changelog was created after the release of 0.3.1.
|
818 |
|
\ | No newline at end of file |