helmet - npm Package Versions

6.0.0 - 2022-08-26

Changed

• Breaking: helmet.contentSecurityPolicy no longer sets block-all-mixed-content directive by default
• Breaking: helmet.expectCt is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See #310
• Breaking: Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See #369
• helmet.frameguard no longer offers a specific error when trying to use ALLOW-FROM; it just says that it is unsupported. Only the error message has changed

Removed

• Breaking: Dropped support for Node 12 and 13. Node 14+ is now required

5.1.1 - 2022-07-23

Changed

• Fix TypeScript bug with some TypeScript configurations. See #375 and #359

5.1.0 - 2022-05-17

Added

• Cross-Origin-Embedder-Policy: support credentialless policy. See #365
• Documented how to set both Content-Security-Policy and Content-Security-Policy-Report-Only

Changed

• Cleaned up some documentation around Origin-Agent-Cluster

5.0.2 - 2022-01-22

Changed

• Improve imports for CommonJS and ECMAScript modules. See #345
• Fixed some documentation

5.0.1 - 2022-01-03

Changed

• Fixed some documentation

Removed

• Removed some unused internal code

5.0.0 - 2022-01-02

Added

• ECMAScript module imports (i.e., import helmet from "helmet" and import { frameguard } from "helmet"). See #320

Changed

• Breaking: helmet.contentSecurityPolicy: useDefaults option now defaults to true
• Breaking: helmet.contentSecurityPolicy: form-action directive is now set to 'self' by default
• Breaking: helmet.crossOriginEmbedderPolicy is enabled by default
• Breaking: helmet.crossOriginOpenerPolicy is enabled by default
• Breaking: helmet.crossOriginResourcePolicy is enabled by default
• Breaking: helmet.originAgentCluster is enabled by default
• helmet.frameguard: add TypeScript editor autocomplete. See #322
• Top-level helmet() function is slightly faster

Removed

• Breaking: Drop support for Node 10 and 11. Node 12+ is now required

4.6.0 - 2021-05-01

Added

• helmet.contentSecurityPolicy: the useDefaults option, defaulting to false, lets you selectively override defaults more easily
• Explicitly define TypeScript types in package.json. See #303

4.5.0 - 2021-04-17

Added

• helmet.crossOriginEmbedderPolicy: a new middleware for the Cross-Origin-Embedder-Policy header, disabled by default
• helmet.crossOriginOpenerPolicy: a new middleware for the Cross-Origin-Opener-Policy header, disabled by default
• helmet.crossOriginResourcePolicy: a new middleware for the Cross-Origin-Resource-Policy header, disabled by default

Changed

• true enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default.
• Log a warning when passing options to originAgentCluster at the top level

Fixed

• Incorrect documentation