CHANGELOG.md
11.2 KB
Changelog
3.18.0 - 2019-05-05
Added
-
featurePolicy
has 19 new features:ambientLightSensor
,documentDomain
,documentWrite
,encryptedMedia
,fontDisplayLateSwap
,layoutAnimations
,legacyImageFormats
,loadingFrameDefaultEager
,oversizedImages
,pictureInPicture
,serial
,syncScript
,unoptimizedImages
,unoptimizedLosslessImages
,unoptimizedLossyImages
,unsizedMedia
,verticalScroll
,wakeLock
, andxr
Changed
- Updated
expect-ct
to v0.2.0 - Updated
feature-policy
to v0.3.0 - Updated
frameguard
to v3.1.0 - Updated
nocache
to v2.1.0
3.17.0 - 2019-05-03
Added
-
referrerPolicy
now supports multiple values
Changed
- Updated
referrerPolicy
to v1.2.0
3.16.0 - 2019-03-10
Added
- Add email to
bugs
field inpackage.json
Changed
- Updated
hsts
to v2.2.0 - Updated
ienoopen
to v1.1.0 - Changelog is now in the Keep A Changelog format
- Dropped support for Node <4. See the commit for more information
- Updated Adam Baldwin's contact information
Deprecated
-
helmet.hsts
'ssetIf
option has been deprecated and will be removed inhsts@3
. See helmetjs/hsts#22 for more - The
includeSubdomains
option (with a lowercased
) has been deprecated and will be removed inhsts@3
. Use the uppercase-DincludeSubDomains
option instead. See helmetjs/hsts#21 for more
3.15.1 - 2019-02-10
Deprecated
- The
hpkp
middleware has been deprecated. If you still need to use this module, install the standalonehpkp
module from npm. See #180 for more.
3.15.0 - 2018-11-07
Added
-
helmet.featurePolicy
now supports four new features
3.14.0 - 2018-10-09
Added
-
helmet.featurePolicy
middleware
3.13.0 - 2018-07-22
Added
-
helmet.permittedCrossDomainPolicies
middleware
3.12.2 - 2018-07-20
Fixed
- Removed
lodash.reduce
dependency fromcsp
3.12.1 - 2018-05-16
Fixed
-
expectCt
should use comma instead of semicolon as delimiter
3.12.0 - 2018-03-02
Added
-
xssFilter
now supportsreportUri
option
3.11.0 - 2018-02-09
Added
- Main Helmet middleware is now named to help with debugging
3.10.0 - 2018-01-23
Added
-
csp
now supportsprefix-src
directive
Fixed
-
csp
no longer loads JSON files internally, helping some module bundlers -
false
should be able to disable a CSP directive
3.9.0 - 2017-10-13
Added
-
csp
now supportsstrict-dynamic
value -
csp
now supportsrequire-sri-for
directive
Changed
- Removed
connect
dependency
3.8.2 - 2017-09-27
Changed
- Updated
connect
dependency to latest
3.8.1 - 2017-07-28
Fixed
-
csp
does not automatically setreport-to
when settingreport-uri
3.8.0 - 2017-07-21
Changed
-
hsts
no longer cares whether it's HTTPS and always sets the header
3.7.0 - 2017-07-21
Added
-
csp
now supportsreport-to
directive
Changed
- Throw an error when used incorrectly
- Add a few documentation files to
npmignore
3.6.1 - 2017-05-21
Changed
- Bump
connect
version
3.6.0 - 2017-05-04
Added
-
expectCt
middleware for setting theExpect-CT
header
3.5.0 - 2017-03-06
Added
-
csp
now supports theworker-src
directive
3.4.1 - 2017-02-24
Changed
- Bump
connect
version
3.4.0 - 2017-01-13
Added
-
csp
now supports moresandbox
directives
3.3.0 - 2016-12-31
Added
-
referrerPolicy
allowsstrict-origin
andstrict-origin-when-cross-origin
directives
Changed
- Bump
connect
version
3.2.0 - 2016-12-22
Added
-
csp
now allowsmanifest-src
directive
3.1.0 - 2016-11-03
Added
-
csp
now allowsframe-src
directive
3.0.0 - 2016-10-28
Changed
-
csp
will check your directives for common mistakes and throw errors if it finds them. This can be disabled withloose: true
. - Empty arrays are no longer allowed in
csp
. For source lists (likescript-src
orobject-src
), use the standardscriptSrc: ["'none'"]
. Thesandbox
directive can besandbox: true
to block everything. -
false
can disable a CSP directive. For example,scriptSrc: false
is the same as not specifying it. - In CSP,
reportOnly: true
no longer requires areport-uri
to be set. -
hsts
'smaxAge
now defaults to 180 days (instead of 1 day) -
hsts
'smaxAge
parameter is seconds, not milliseconds -
hsts
includes subdomains by default -
domain
parameter inframeguard
cannot be empty
Removed
-
noEtag
option no longer present innoCache
- iOS Chrome
connect-src
workaround in CSP module
2.3.0 - 2016-09-30
Added
-
hpkp
middleware now supports theincludeSubDomains
property with a capital D
Fixed
-
hpkp
was settingincludeSubdomains
instead ofincludeSubDomains
2.2.0 - 2016-09-16
Added
-
referrerPolicy
middleware
2.1.3 - 2016-09-07
Changed
- Top-level aliases (like
helmet.xssFilter
) are no longer dynamically required
2.1.2 - 2016-07-27
Deprecated
-
nocache
'snoEtag
option is now deprecated
Fixed
-
csp
now better handles Firefox on mobile
2.1.1 - 2016-06-10
Changed
- Remove several dependencies from
helmet-csp
Fixed
-
frameguard
had a documentation error about its default value -
frameguard
docs in main Helmet readme saidframeguard
, nothelmet.frameguard
2.1.0 - 2016-05-18
Added
-
csp
lets you dynamically setreportOnly
2.0.0 - 2016-04-29
Added
- Pass configuration to enable/disable default middlewares
Changed
-
dnsPrefetchControl
middleware is now enabled by default
Removed
- No more module aliases. There is now just one way to include each middleware
-
frameguard
can no longer be initialized with strings; you must use an object
Fixed
- Make
hpkp
lowercase in documentation - Update
hpkp
spec URL in readmes - Update
frameguard
header name in readme
1.3.0 - 2016-03-01
Added
-
hpkp
has asetIf
option to conditionally set the header
1.2.0 - 2016-02-29
Added
-
csp
now has abrowserSniff
option to disable all user-agent sniffing
Changed
-
frameguard
can now be initialized with options - Add
npmignore
file to speed up installs slightly
1.1.0 - 2016-01-12
Added
- Code of conduct
-
dnsPrefetchControl
middleware
Fixed
-
csp
readme had syntax errors
1.0.2 - 2016-01-08
Fixed
-
csp
wouldn't recognizeIE Mobile
browsers -
csp
had some errors in its readme - Main readme had a syntax error
1.0.1 - 2015-12-19
Fixed
-
csp
with no User Agent would cause errors
1.0.0 - 2015-12-18
Added
-
csp
module supports dynamically-generated values
Changed
-
csp
directives are now under thedirectives
key -
hpkp
'sReport-Only
header is now opt-in, not opt-out - Tweak readmes of every sub-repo
Removed
-
crossdomain
middleware -
csp
no longer throws errors when some directives aren't quoted ('self'
, for example) -
maxage
option in thehpkp
middleware -
safari5
option fromcsp
module
Fixed
- Old Firefox Content-Security-Policy behavior for
unsafe-inline
andunsafe-eval
- Dynamic
csp
policies is no longer recursive
0.15.0 - 2015-11-26
Changed
-
hpkp
allows areport-uri
without theReport-Only
header
0.14.0 - 2015-11-01
Added
-
nocache
now sends theSurrogate-Control
header
Changed
-
nocache
no longer contains theprivate
directive in theCache-Control
header
0.13.0 - 2015-10-23
Added
-
xssFilter
now has a function name - Added new CSP docs to readme
Changed
- HSTS option renamed from
includeSubdomains
toincludeSubDomains
0.11.0 - 2015-09-18
Added
-
csp
now supports Microsoft Edge - CSP Level 2 support
Changed
- Updated
connect
to 3.4.0 - Updated
depd
to 1.1.0
Fixed
- Added
license
key tocsp
'spackage.json
- Empty
csp
directives now support every directive, not justsandbox
0.10.0 - 2015-07-08
Added
- Add "Handling CSP violations" to
csp
readme - Add license to
package.json
Changed
-
hpkp
had a link to the wrong place in its readme -
hpkp
requires 2 or more pins
Fixed
-
hpkp
might have miscalculatedmaxAge
slightly wrong
0.9.0 - 2015-04-24
Changed
-
nocache
addsprivate
to itsCache-Control
directive - Added a description to
package.json
0.8.0 - 2015-04-21
Changed
- Removed hefty Lodash dependency from HSTS and CSP
- Updated string detection module in Frameguard
- Changed readme slightly to better reflect project's focus
Deprecated
- Deprecated
crossdomain
middleware
Removed
-
crossdomain
is no longer a default middleware
0.7.1 - 2015-03-23
Changed
- Updated all outdated dependencies (insofar as possible)
- HSTS now uses Lodash like all the rest of the libraries
0.7.0 - 2015-03-05
Added
-
hpkp
middleware
Changed
- Travis CI should test 0.10 and 0.12
- Minor code cleanup
0.6.2 - 2015-03-01
Changed
- Improved
xssFilter
performance - Updated Lodash versions
0.6.1 - 2015-02-13
Added
- "Other recommended modules" in README
Changed
- Updated Lodash version
Fixed
-
frameguard
middleware exported a function calledxframe
0.6.0 - 2015-01-21
Added
- You can disable
csp
for Android
Fixed
-
csp
on Chrome Mobile on Android and iOS
0.5.4 - 2014-12-21
Changed
-
nocache
should force revalidation
0.5.3 - 2014-12-08
Changed
-
platform
version in CSP and X-XSS-Protection
Fixed
- Updated bad wording in frameguard docs
0.5.2 - 2014-11-16
Changed
- Updated Connect version
Fixed
- Fixed minor
csp
bugfixes
0.5.1 - 2014-11-09
Changed
- Updated URLs in
package.json
for new URL
Fixed
- CSP would set all headers forever after receiving an unknown user agent
0.5.0 - 2014-10-28
Added
- Most middlewares have some aliases now
Changed
-
xframe
now calledframeguard
(thoughxframe
still works) -
frameguard
chooses sameorigin by default -
frameguard
understands "SAME-ORIGIN" in addition to "SAMEORIGIN" -
nocache
removed from default middleware stack - Middleware split out into their own modules
- Documentation
- Updated supported Node version to at least 0.10.0
- Bumped Connect version
Removed
- Deprecation warnings
Fixed
- Readme link was broken
0.4.2 - 2014-10-16
Added
- Support preload in HSTS header
0.4.1 - 2014-08-24
Added
- Use helmet-crossdomain to test the waters
- 2 spaces instead of 4 throughout the code
0.4.0 - 2014-07-17
Added
-
nocache
now sets the Expires and Pragma headers -
nocache
now allows you to crush ETags
Changed
- Improved the docs for nosniff
- Reverted HSTS behavior of requiring a specified max-age
Fixed
- Allow HSTS to have a max-age of 0
0.3.2 - 2014-06-30
Added
- All middleware functions are named
- Throw error with non-positive HSTS max-age
Changed
- Added semicolons in README
- Make some Errors more specific
Removed
- Removed all comment headers; refer to the readme
Fixed
-
helmet()
was having issues - Fixed Syntax errors in README
This changelog was created after the release of 0.3.1.