helmet-csp - npm Package Versions

4.0.0 - 2020-08-02

See the Helmet 4 upgrade guide for help upgrading from Helmet 3.

Added

• helmet.contentSecurityPolicy:
  • If no default-src directive is supplied, an error is thrown
  • Directive lists can be any iterable, not just arrays

Changed

• This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
• helmet.contentSecurityPolicy:
  • There is now a default set of directives if none are supplied
  • Duplicate keys now throw an error. See helmetjs/csp#73
  • This middleware is more lenient, allowing more directive names or values
• helmet.xssFilter now disables the buggy XSS filter by default. See #230

Removed

• Dropped support for old Node versions. Node 10+ is now required
• helmet.featurePolicy. If you still need it, use the feature-policy package on npm.
• helmet.hpkp. If you still need it, use the hpkp package on npm.
• helmet.noCache. If you still need it, use the nocache package on npm.
• helmet.contentSecurityPolicy:
  • Removed browser sniffing (including the browserSniff and disableAndroid parameters). See helmetjs/csp#97
  • Removed conditional support. This includes directive functions and support for a function as the reportOnly. Read this if you need help.
  • Removed a lot of checks—you should be checking your CSP with a different tool
  • Removed support for legacy headers (and therefore the setAllHeaders parameter). Read this if you need help.
  • Removed the loose option
  • Removed support for functions as directive values. You must supply an iterable of strings
• helmet.frameguard:
  • Dropped support for the ALLOW-FROM action. Read more here.
• helmet.hidePoweredBy no longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.
• helmet.hsts:
  • Dropped support for includeSubdomains with a lowercase D. See #231
  • Dropped support for setIf. Read this if you need help. See #232
• helmet.xssFilter no longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable the report directive with X-XSS-Protection" if you need the legacy behavior.

3.4.0 - 2017-01-13

Added

• csp now supports more sandbox directives

3.3.0 - 2016-12-31

Added

• referrerPolicy allows strict-origin and strict-origin-when-cross-origin directives

Changed

• Bump connect version

3.2.0 - 2016-12-22

Added

• csp now allows manifest-src directive

3.1.0 - 2016-11-03

Added

• csp now allows frame-src directive

3.0.0 - 2016-10-28

Changed

• csp will check your directives for common mistakes and throw errors if it finds them. This can be disabled with loose: true.
• Empty arrays are no longer allowed in csp. For source lists (like script-src or object-src), use the standard scriptSrc: ["'none'"]. The sandbox directive can be sandbox: true to block everything.
• false can disable a CSP directive. For example, scriptSrc: false is the same as not specifying it.
• In CSP, reportOnly: true no longer requires a report-uri to be set.
• hsts's maxAge now defaults to 180 days (instead of 1 day)
• hsts's maxAge parameter is seconds, not milliseconds
• hsts includes subdomains by default
• domain parameter in frameguard cannot be empty

Removed

• noEtag option no longer present in noCache
• iOS Chrome connect-src workaround in CSP module