frameguard
Advanced tools
Changelog
4.0.0 - 2020-08-02
See the Helmet 4 upgrade guide for help upgrading from Helmet 3.
Added
helmet.contentSecurityPolicy:- If no
default-srcdirective is supplied, an error is thrown - Directive lists can be any iterable, not just arrays
- If no
Changed
- This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
helmet.contentSecurityPolicy:- There is now a default set of directives if none are supplied
- Duplicate keys now throw an error. See helmetjs/csp#73
- This middleware is more lenient, allowing more directive names or values
helmet.xssFilternow disables the buggy XSS filter by default. See #230
Removed
- Dropped support for old Node versions. Node 10+ is now required
helmet.featurePolicy. If you still need it, use thefeature-policypackage on npm.helmet.hpkp. If you still need it, use thehpkppackage on npm.helmet.noCache. If you still need it, use thenocachepackage on npm.helmet.contentSecurityPolicy:- Removed browser sniffing (including the
browserSniffanddisableAndroidparameters). See helmetjs/csp#97 - Removed conditional support. This includes directive functions and support for a function as the
reportOnly. Read this if you need help. - Removed a lot of checks—you should be checking your CSP with a different tool
- Removed support for legacy headers (and therefore the
setAllHeadersparameter). Read this if you need help. - Removed the
looseoption - Removed support for functions as directive values. You must supply an iterable of strings
- Removed browser sniffing (including the
helmet.frameguard:- Dropped support for the
ALLOW-FROMaction. Read more here.
- Dropped support for the
helmet.hidePoweredByno longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.helmet.hsts:- Dropped support for
includeSubdomainswith a lowercase D. See #231 - Dropped support for
setIf. Read this if you need help. See #232
- Dropped support for
helmet.xssFilterno longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable thereportdirective with X-XSS-Protection" if you need the legacy behavior.
Changelog
3.0.0 - 2016-10-28
Changed
cspwill check your directives for common mistakes and throw errors if it finds them. This can be disabled withloose: true.- Empty arrays are no longer allowed in
csp. For source lists (likescript-srcorobject-src), use the standardscriptSrc: ["'none'"]. Thesandboxdirective can besandbox: trueto block everything. falsecan disable a CSP directive. For example,scriptSrc: falseis the same as not specifying it.- In CSP,
reportOnly: trueno longer requires areport-urito be set. hsts'smaxAgenow defaults to 180 days (instead of 1 day)hsts'smaxAgeparameter is seconds, not millisecondshstsincludes subdomains by defaultdomainparameter inframeguardcannot be empty
Removed
noEtagoption no longer present innoCache- iOS Chrome
connect-srcworkaround in CSP module
Changelog
2.0.0 - 2016-04-29
Added
- Pass configuration to enable/disable default middlewares
Changed
dnsPrefetchControlmiddleware is now enabled by default
Removed
- No more module aliases. There is now just one way to include each middleware
frameguardcan no longer be initialized with strings; you must use an object
Fixed
- Make
hpkplowercase in documentation - Update
hpkpspec URL in readmes - Update
frameguardheader name in readme
Changelog
1.1.0 - 2016-01-12
Added
- Code of conduct
dnsPrefetchControlmiddleware
Fixed
cspreadme had syntax errors
Changelog
1.0.0 - 2015-12-18
Added
cspmodule supports dynamically-generated values
Changed
cspdirectives are now under thedirectiveskeyhpkp'sReport-Onlyheader is now opt-in, not opt-out- Tweak readmes of every sub-repo
Removed
crossdomainmiddlewarecspno longer throws errors when some directives aren't quoted ('self', for example)maxageoption in thehpkpmiddlewaresafari5option fromcspmodule
Fixed
- Old Firefox Content-Security-Policy behavior for
unsafe-inlineandunsafe-eval - Dynamic
csppolicies is no longer recursive