Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

frameguard

Package Overview
Dependencies
Maintainers
1
Versions
10
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

frameguard - npm Package Versions

4.0.0

Diff

Changelog

Source

4.0.0 - 2020-08-02

See the Helmet 4 upgrade guide for help upgrading from Helmet 3.

Added

  • helmet.contentSecurityPolicy:
    • If no default-src directive is supplied, an error is thrown
    • Directive lists can be any iterable, not just arrays

Changed

  • This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
  • helmet.contentSecurityPolicy:
    • There is now a default set of directives if none are supplied
    • Duplicate keys now throw an error. See helmetjs/csp#73
    • This middleware is more lenient, allowing more directive names or values
  • helmet.xssFilter now disables the buggy XSS filter by default. See #230

Removed

  • Dropped support for old Node versions. Node 10+ is now required
  • helmet.featurePolicy. If you still need it, use the feature-policy package on npm.
  • helmet.hpkp. If you still need it, use the hpkp package on npm.
  • helmet.noCache. If you still need it, use the nocache package on npm.
  • helmet.contentSecurityPolicy:
    • Removed browser sniffing (including the browserSniff and disableAndroid parameters). See helmetjs/csp#97
    • Removed conditional support. This includes directive functions and support for a function as the reportOnly. Read this if you need help.
    • Removed a lot of checks—you should be checking your CSP with a different tool
    • Removed support for legacy headers (and therefore the setAllHeaders parameter). Read this if you need help.
    • Removed the loose option
    • Removed support for functions as directive values. You must supply an iterable of strings
  • helmet.frameguard:
  • helmet.hidePoweredBy no longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.
  • helmet.hsts:
  • helmet.xssFilter no longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable the report directive with X-XSS-Protection" if you need the legacy behavior.
evanhahn
published 3.1.0 •

Changelog

Source

3.1.0 - 2016-11-03

Added

  • csp now allows frame-src directive
evanhahn
published 3.0.0 •

Changelog

Source

3.0.0 - 2016-10-28

Changed

  • csp will check your directives for common mistakes and throw errors if it finds them. This can be disabled with loose: true.
  • Empty arrays are no longer allowed in csp. For source lists (like script-src or object-src), use the standard scriptSrc: ["'none'"]. The sandbox directive can be sandbox: true to block everything.
  • false can disable a CSP directive. For example, scriptSrc: false is the same as not specifying it.
  • In CSP, reportOnly: true no longer requires a report-uri to be set.
  • hsts's maxAge now defaults to 180 days (instead of 1 day)
  • hsts's maxAge parameter is seconds, not milliseconds
  • hsts includes subdomains by default
  • domain parameter in frameguard cannot be empty

Removed

  • noEtag option no longer present in noCache
  • iOS Chrome connect-src workaround in CSP module
evanhahn
published 2.0.0 •

Changelog

Source

2.0.0 - 2016-04-29

Added

  • Pass configuration to enable/disable default middlewares

Changed

  • dnsPrefetchControl middleware is now enabled by default

Removed

  • No more module aliases. There is now just one way to include each middleware
  • frameguard can no longer be initialized with strings; you must use an object

Fixed

  • Make hpkp lowercase in documentation
  • Update hpkp spec URL in readmes
  • Update frameguard header name in readme
evanhahn
published 1.1.0 •

Changelog

Source

1.1.0 - 2016-01-12

Added

  • Code of conduct
  • dnsPrefetchControl middleware

Fixed

  • csp readme had syntax errors
evanhahn
published 1.0.0 •

Changelog

Source

1.0.0 - 2015-12-18

Added

  • csp module supports dynamically-generated values

Changed

  • csp directives are now under the directives key
  • hpkp's Report-Only header is now opt-in, not opt-out
  • Tweak readmes of every sub-repo

Removed

  • crossdomain middleware
  • csp no longer throws errors when some directives aren't quoted ('self', for example)
  • maxage option in the hpkp middleware
  • safari5 option from csp module

Fixed

  • Old Firefox Content-Security-Policy behavior for unsafe-inline and unsafe-eval
  • Dynamic csp policies is no longer recursive
evanhahn
published 0.2.2 •

evanhahn
published 0.2.1 •

evanhahn
published 0.2.0 •

evanhahn
published 0.1.0 •

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc