18 KiB
18 KiB
Changelog
4.2.0 - 2020-11-01
Added
helmet.contentSecurityPolicy
: get the default directives withcontentSecurityPolicy.getDefaultDirectives()
Changed
helmet()
now supports objects that don't haveObject.prototype
in their chain, such asObject.create(null)
, as optionshelmet.expectCt
:max-age
is now first. See #264
4.1.1 - 2020-09-10
Changed
- Fixed a few errors in the README
4.1.0 - 2020-08-15
Added
helmet.contentSecurityPolicy
:- Directive values can now include functions, as they could in Helmet 3. See #243
Changed
- Helmet should now play more nicely with TypeScript
Removed
- The
HelmetOptions
interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see this comment
4.0.0 - 2020-08-02
See the Helmet 4 upgrade guide for help upgrading from Helmet 3.
Added
helmet.contentSecurityPolicy
:- If no
default-src
directive is supplied, an error is thrown - Directive lists can be any iterable, not just arrays
- If no
Changed
- This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
helmet.contentSecurityPolicy
:- There is now a default set of directives if none are supplied
- Duplicate keys now throw an error. See helmetjs/csp#73
- This middleware is more lenient, allowing more directive names or values
helmet.xssFilter
now disables the buggy XSS filter by default. See #230
Removed
- Dropped support for old Node versions. Node 10+ is now required
helmet.featurePolicy
. If you still need it, use thefeature-policy
package on npm.helmet.hpkp
. If you still need it, use thehpkp
package on npm.helmet.noCache
. If you still need it, use thenocache
package on npm.helmet.contentSecurityPolicy
:- Removed browser sniffing (including the
browserSniff
anddisableAndroid
parameters). See helmetjs/csp#97 - Removed conditional support. This includes directive functions and support for a function as the
reportOnly
. Read this if you need help. - Removed a lot of checks—you should be checking your CSP with a different tool
- Removed support for legacy headers (and therefore the
setAllHeaders
parameter). Read this if you need help. - Removed the
loose
option - Removed support for functions as directive values. You must supply an iterable of strings
- Removed browser sniffing (including the
helmet.frameguard
:- Dropped support for the
ALLOW-FROM
action. Read more here.
- Dropped support for the
helmet.hidePoweredBy
no longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.helmet.hsts
:- Dropped support for
includeSubdomains
with a lowercase D. See #231 - Dropped support for
setIf
. Read this if you need help.. See #232
- Dropped support for
helmet.xssFilter
no longer accepts options. Read "How to disable blocking with X–XSS–Protection" and "How to enable thereport
directive with X–XSS–Protection" if you need the legacy behavior.
3.23.3 - 2020-06-26
Changed
helmet.expectCt
is no longer a separate package. This should have no effect on end users.helmet.frameguard
is no longer a separate package. This should have no effect on end users.
3.23.2 - 2020-06-23
Changed
helmet.dnsPrefetchControl
is no longer a separate package. This should have no effect on end users.
3.23.1 - 2020-06-16
Changed
helmet.ieNoOpen
is no longer a separate package. This should have no effect on end users.
3.23.0 - 2020-06-12
Deprecated
helmet.featurePolicy
is deprecated. Use thefeature-policy
module instead.
3.22.1 - 2020-06-10
Changed
- Rewrote internals in TypeScript. This should have no effect on end users.
3.22.0 - 2020-03-24
Changed
- Updated
helmet-csp
to v2.10.0- Add support for the
allow-downloads
sandbox directive. See helmet-csp#103
- Add support for the
Deprecated
helmet.noCache
is deprecated. Use thenocache
module instead. See #215
3.21.3 - 2020-02-24
Changed
- Updated
helmet-csp
to v2.9.5- Updated
bowser
subdependency from 2.7.0 to 2.9.0 - Fixed an issue some people were having when importing the
bowser
subdependency. See helmet-csp#96 and #101
- Updated
3.21.2 - 2019-10-21
Changed
- Updated
helmet-csp
to v2.9.4- Updated
bowser
subdependency from 2.6.1 to 2.7.0. See helmet-csp#94
- Updated
3.21.1 - 2019-09-20
Fixed
- Updated
helmet-csp
to v2.9.2- Fixed a bug where a request from Firefox 4 could delete
default-src
from future responses - Fixed tablet PC detection by updating
bowser
subdependency to latest version
- Fixed a bug where a request from Firefox 4 could delete
3.21.0 - 2019-09-04
Added
- Updated
x-xss-protection
to v1.3.0- Added
mode: null
to disablemode=block
- Added
Changed
- Updated
helmet-csp
to v2.9.1- Updated
bowser
subdependency from 2.5.3 to 2.5.4. See helmet-csp#88
- Updated
3.20.1 - 2019-08-28
Changed
- Updated
helmet-csp
to v2.9.0
3.20.0 - 2019-07-24
Changed
- Updated
helmet-csp
to v2.8.0
3.19.0 - 2019-07-17
Changed
- Updated
dns-prefetch-control
to v0.2.0 - Updated
dont-sniff-mimetype
to v1.1.0 - Updated
helmet-crossdomain
to v0.4.0 - Updated
hide-powered-by
to v1.1.0 - Updated
x-xss-protection
to v1.2.0
3.18.0 - 2019-05-05
Added
featurePolicy
has 19 new features:ambientLightSensor
,documentDomain
,documentWrite
,encryptedMedia
,fontDisplayLateSwap
,layoutAnimations
,legacyImageFormats
,loadingFrameDefaultEager
,oversizedImages
,pictureInPicture
,serial
,syncScript
,unoptimizedImages
,unoptimizedLosslessImages
,unoptimizedLossyImages
,unsizedMedia
,verticalScroll
,wakeLock
, andxr
Changed
- Updated
expect-ct
to v0.2.0 - Updated
feature-policy
to v0.3.0 - Updated
frameguard
to v3.1.0 - Updated
nocache
to v2.1.0
3.17.0 - 2019-05-03
Added
referrerPolicy
now supports multiple values
Changed
- Updated
referrerPolicy
to v1.2.0
3.16.0 - 2019-03-10
Added
- Add email to
bugs
field inpackage.json
Changed
- Updated
hsts
to v2.2.0 - Updated
ienoopen
to v1.1.0 - Changelog is now in the Keep A Changelog format
- Dropped support for Node <4. See the commit for more information
- Updated Adam Baldwin's contact information
Deprecated
helmet.hsts
'ssetIf
option has been deprecated and will be removed inhsts@3
. See helmetjs/hsts#22 for more
- The
includeSubdomains
option (with a lowercased
) has been deprecated and will be removed inhsts@3
. Use the uppercase-DincludeSubDomains
option instead. See helmetjs/hsts#21 for more
3.15.1 - 2019-02-10
Deprecated
- The
hpkp
middleware has been deprecated. If you still need to use this module, install the standalonehpkp
module from npm. See #180 for more.
3.15.0 - 2018-11-07
Added
helmet.featurePolicy
now supports four new features
3.14.0 - 2018-10-09
Added
helmet.featurePolicy
middleware
3.13.0 - 2018-07-22
Added
helmet.permittedCrossDomainPolicies
middleware
3.12.2 - 2018-07-20
Fixed
- Removed
lodash.reduce
dependency fromcsp
3.12.1 - 2018-05-16
Fixed
expectCt
should use comma instead of semicolon as delimiter
3.12.0 - 2018-03-02
Added
xssFilter
now supportsreportUri
option
3.11.0 - 2018-02-09
Added
- Main Helmet middleware is now named to help with debugging
3.10.0 - 2018-01-23
Added
csp
now supportsprefix-src
directive
Fixed
csp
no longer loads JSON files internally, helping some module bundlersfalse
should be able to disable a CSP directive
3.9.0 - 2017-10-13
Added
csp
now supportsstrict-dynamic
valuecsp
now supportsrequire-sri-for
directive
Changed
- Removed
connect
dependency
3.8.2 - 2017-09-27
Changed
- Updated
connect
dependency to latest
3.8.1 - 2017-07-28
Fixed
csp
does not automatically setreport-to
when settingreport-uri
3.8.0 - 2017-07-21
Changed
hsts
no longer cares whether it's HTTPS and always sets the header
3.7.0 - 2017-07-21
Added
csp
now supportsreport-to
directive
Changed
- Throw an error when used incorrectly
- Add a few documentation files to
npmignore
3.6.1 - 2017-05-21
Changed
- Bump
connect
version
3.6.0 - 2017-05-04
Added
expectCt
middleware for setting theExpect-CT
header
3.5.0 - 2017-03-06
Added
csp
now supports theworker-src
directive
3.4.1 - 2017-02-24
Changed
- Bump
connect
version
3.4.0 - 2017-01-13
Added
csp
now supports moresandbox
directives
3.3.0 - 2016-12-31
Added
referrerPolicy
allowsstrict-origin
andstrict-origin-when-cross-origin
directives
Changed
- Bump
connect
version
3.2.0 - 2016-12-22
Added
csp
now allowsmanifest-src
directive
3.1.0 - 2016-11-03
Added
csp
now allowsframe-src
directive
3.0.0 - 2016-10-28
Changed
csp
will check your directives for common mistakes and throw errors if it finds them. This can be disabled withloose: true
.- Empty arrays are no longer allowed in
csp
. For source lists (likescript-src
orobject-src
), use the standardscriptSrc: ["'none'"]
. Thesandbox
directive can besandbox: true
to block everything. false
can disable a CSP directive. For example,scriptSrc: false
is the same as not specifying it.- In CSP,
reportOnly: true
no longer requires areport-uri
to be set. hsts
'smaxAge
now defaults to 180 days (instead of 1 day)hsts
'smaxAge
parameter is seconds, not millisecondshsts
includes subdomains by defaultdomain
parameter inframeguard
cannot be empty
Removed
noEtag
option no longer present innoCache
- iOS Chrome
connect-src
workaround in CSP module
2.3.0 - 2016-09-30
Added
hpkp
middleware now supports theincludeSubDomains
property with a capital D
Fixed
hpkp
was settingincludeSubdomains
instead ofincludeSubDomains
2.2.0 - 2016-09-16
Added
referrerPolicy
middleware
2.1.3 - 2016-09-07
Changed
- Top-level aliases (like
helmet.xssFilter
) are no longer dynamically required
2.1.2 - 2016-07-27
Deprecated
nocache
'snoEtag
option is now deprecated
Fixed
csp
now better handles Firefox on mobile
2.1.1 - 2016-06-10
Changed
- Remove several dependencies from
helmet-csp
Fixed
frameguard
had a documentation error about its default valueframeguard
docs in main Helmet readme saidframeguard
, nothelmet.frameguard
2.1.0 - 2016-05-18
Added
csp
lets you dynamically setreportOnly
2.0.0 - 2016-04-29
Added
- Pass configuration to enable/disable default middlewares
Changed
dnsPrefetchControl
middleware is now enabled by default
Removed
- No more module aliases. There is now just one way to include each middleware
frameguard
can no longer be initialized with strings; you must use an object
Fixed
- Make
hpkp
lowercase in documentation - Update
hpkp
spec URL in readmes - Update
frameguard
header name in readme
1.3.0 - 2016-03-01
Added
hpkp
has asetIf
option to conditionally set the header
1.2.0 - 2016-02-29
Added
csp
now has abrowserSniff
option to disable all user-agent sniffing
Changed
frameguard
can now be initialized with options- Add
npmignore
file to speed up installs slightly
1.1.0 - 2016-01-12
Added
- Code of conduct
dnsPrefetchControl
middleware
Fixed
csp
readme had syntax errors
1.0.2 - 2016-01-08
Fixed
csp
wouldn't recognizeIE Mobile
browserscsp
had some errors in its readme- Main readme had a syntax error
1.0.1 - 2015-12-19
Fixed
csp
with no User Agent would cause errors
1.0.0 - 2015-12-18
Added
csp
module supports dynamically-generated values
Changed
csp
directives are now under thedirectives
keyhpkp
'sReport-Only
header is now opt-in, not opt-out- Tweak readmes of every sub-repo
Removed
crossdomain
middlewarecsp
no longer throws errors when some directives aren't quoted ('self'
, for example)maxage
option in thehpkp
middlewaresafari5
option fromcsp
module
Fixed
- Old Firefox Content-Security-Policy behavior for
unsafe-inline
andunsafe-eval
- Dynamic
csp
policies is no longer recursive
0.15.0 - 2015-11-26
Changed
hpkp
allows areport-uri
without theReport-Only
header
0.14.0 - 2015-11-01
Added
nocache
now sends theSurrogate-Control
header
Changed
nocache
no longer contains theprivate
directive in theCache-Control
header
0.13.0 - 2015-10-23
Added
xssFilter
now has a function name- Added new CSP docs to readme
Changed
- HSTS option renamed from
includeSubdomains
toincludeSubDomains
0.11.0 - 2015-09-18
Added
csp
now supports Microsoft Edge- CSP Level 2 support
Changed
- Updated
connect
to 3.4.0 - Updated
depd
to 1.1.0
Fixed
- Added
license
key tocsp
'spackage.json
- Empty
csp
directives now support every directive, not justsandbox
0.10.0 - 2015-07-08
Added
- Add "Handling CSP violations" to
csp
readme - Add license to
package.json
Changed
hpkp
had a link to the wrong place in its readmehpkp
requires 2 or more pins
Fixed
hpkp
might have miscalculatedmaxAge
slightly wrong
0.9.0 - 2015-04-24
Changed
nocache
addsprivate
to itsCache-Control
directive- Added a description to
package.json
0.8.0 - 2015-04-21
Changed
- Removed hefty Lodash dependency from HSTS and CSP
- Updated string detection module in Frameguard
- Changed readme slightly to better reflect project's focus
Deprecated
- Deprecated
crossdomain
middleware
Removed
crossdomain
is no longer a default middleware
0.7.1 - 2015-03-23
Changed
- Updated all outdated dependencies (insofar as possible)
- HSTS now uses Lodash like all the rest of the libraries
0.7.0 - 2015-03-05
Added
hpkp
middleware
Changed
- Travis CI should test 0.10 and 0.12
- Minor code cleanup
0.6.2 - 2015-03-01
Changed
- Improved
xssFilter
performance - Updated Lodash versions
0.6.1 - 2015-02-13
Added
- "Other recommended modules" in README
Changed
- Updated Lodash version
Fixed
frameguard
middleware exported a function calledxframe
0.6.0 - 2015-01-21
Added
- You can disable
csp
for Android
Fixed
csp
on Chrome Mobile on Android and iOS
0.5.4 - 2014-12-21
Changed
nocache
should force revalidation
0.5.3 - 2014-12-08
Changed
platform
version in CSP and X-XSS-Protection
Fixed
- Updated bad wording in frameguard docs
0.5.2 - 2014-11-16
Changed
- Updated Connect version
Fixed
- Fixed minor
csp
bugfixes
0.5.1 - 2014-11-09
Changed
- Updated URLs in
package.json
for new URL
Fixed
- CSP would set all headers forever after receiving an unknown user agent
0.5.0 - 2014-10-28
Added
- Most middlewares have some aliases now
Changed
xframe
now calledframeguard
(thoughxframe
still works)frameguard
chooses sameorigin by defaultframeguard
understands "SAME-ORIGIN" in addition to "SAMEORIGIN"nocache
removed from default middleware stack- Middleware split out into their own modules
- Documentation
- Updated supported Node version to at least 0.10.0
- Bumped Connect version
Removed
- Deprecation warnings
Fixed
- Readme link was broken
0.4.2 - 2014-10-16
Added
- Support preload in HSTS header
0.4.1 - 2014-08-24
Added
- Use helmet-crossdomain to test the waters
- 2 spaces instead of 4 throughout the code
0.4.0 - 2014-07-17
Added
nocache
now sets the Expires and Pragma headersnocache
now allows you to crush ETags
Changed
- Improved the docs for nosniff
- Reverted HSTS behavior of requiring a specified max-age
Fixed
- Allow HSTS to have a max-age of 0
0.3.2 - 2014-06-30
Added
- All middleware functions are named
- Throw error with non-positive HSTS max-age
Changed
- Added semicolons in README
- Make some Errors more specific
Removed
- Removed all comment headers; refer to the readme
Fixed
helmet()
was having issues- Fixed Syntax errors in README
This changelog was created after the release of 0.3.1.