- Added
ExternalRedirectResponse
(#331)
- Added support for cookies with null value (#338)
- Filter
view-source
reports
- Fixed overriding CSP header
- Dropped support for Symfony < 5.4
- Added support for Symfony 7
- Bump minimal PHP version to 7.4
- Dropped support for Symfony < 4.4
- Dropped support for Twig 1
- Removed
DoctrineCacheUAFamilyParser
(usePsrCacheUAFamilyParser
instead) - All classes have been marked as
final
- Renamed
WhitelistBasedTargetValidator
class toAllowListBasedTargetValidator
- Removed
CookieSessionHandler
- Allowed to define host restriction for clickjacking protection
- Filter moz-extension reports
- Log user agent along with CSP report
- Deprecated external_redirects.whitelist option in favor of external_redirects.allow_list
- Deprecated forced_ssl.whitelist option in favor of forced_ssl.allow_list
- Deprecated
Nelmio\SecurityBundle\ContentSecurityPolicy\Violation\Event
class in favor ofNelmio\SecurityBundle\ContentSecurityPolicy\Violation\ReportEvent
.
- Added support for CSP "prefetch-src" directive
- Added support for CSP "wasm-unsafe-eval" keyword
- Added support for Symfony 6
- Fixed deprecations warnings using PHP 8.1
- Fix Symfony 5 compatibility issues
- Fix dependencies (allow installing on PHP 8 and explicitly require symfony/yaml)
- Fix ContentSecurityPolicyController
- Ensure compatibility with Symfony EventDispatcher 5.x
- Ensure passing the correct type to UAParser::parse
- Use Symfony DI Reference instead of Definition
- Optimize regular expressions in the sha computer
- Show non-deprecated usage of the csp_nonce Twig function
- Symfony 5 compatibility added
- Bump minimal Twig version to 1.38.0
- Fixed deprecated/invalid method usage on logger interface
- Drop tests for PHP 5.4
- Use base64 for encoding nonces
- Support more CSP level 3 keywords
- Allow configuring a report URI for XSS
- Support random_compat v9.99.99
- Don't ship unneeded files for composer installs
- Change controller action reference
- Add worker-src directive
- Fix deprecation for symfony/config 4.2+
- Abort CSP compiler pass when CSP is not enabled
- Allows matching the query parameter for clickjacking protection
- Cleanup content type restrictable listener
- Added Symfony 4 support
- Added support for 'worker-src' CSP directive
- Removed PHP 5.3 support guarantees
- Fix CSP noise filter compiler pass registration
- Deprecate calling ContentSecurityPolicyListener::getNonce without usage ('script' or 'style')
- Added
forced_ssl > redirect_status_code
option to allow switching to permanent redirect (301) responses - Fixed HSTS header being sent even in non-secure responses unnecessarily
- Fixed URLs with whitespace prefix not being seen as external redirects
- Fix arguments for Twig extension
- Add support for script-src 'strict-dynamic' (see https://w3c.github.io/webappsec-csp/#strict-dynamic-usage)
- Improve CSP filtering
- Remove Twig extension compiler pass in favor of tag
- Use symfony/phpunit-bridge for testing on IC
- Fix exceptions thrown by Report::fromRequest
- Improve CSP filtering
- Improve CSP filtering
- Fix injected script noise detector loading
- Fix dependency on UAParser
- Add CSP report filter
- Fix Twig 2 support
- Add support for Referrer Policy
- Content-Security-Policy header can now be disabled
- Fix encrypter deprecation
- Run the test suite on PHP 7.1
- Run the test suite with lowest dependencies
- Enable manifest-src directive for Chrome, Opera and Firefox
- Fix deprecation warning with latest Twig 1.x
- Fix typo in the ALLOW-FROM implementation
- Update browser_adaptive configuration. Allow custom adapters
- Add Doctrine Cache and Psr Cache adapters for caching UA family parser
- Fix CookieSessionHandler::open that should return true unless there's an error
- Add support for Content-Security-Policy Level 2 directives
- Add support for Content-Security-Policy Level 2 signatures (nonce and message digest)
- Add browser adaptive directives - do not send directives not supported by browser - via browser_adaptive parameter
- Allow report-uri to be defined as a scalar
- Deprecate encrypted cookie support du to high coupling to mcrypt deprecated extension
- Drop backward-compatibility with first deprecated CSP configuration
- Added ability to restrict forced_ssl capability to some hostnames only
- Fixed Symfony 3 compatibility
- BugFix: Fix LoggerInterface type hints to support PSR-3 loggers and not only Symfony 2.0 loggers
- Add Symfony 3 compatibility
- external_redirects definition can now contains full URL
- Allow dynamic CSP configuration
- BugFix: Fix clickjacking URL normalization when containing dash and no underscore
- Added HTTP response's content-type restriction for Clickjacking and CSP headers.
- Added Microsoft's XSS-Protection support
- Disabled Clickjacking, CSP and NoSniff headers in the context of HTTP redirects
- Fixed bug in handling of the external_redirects.log being disabled
- Added a
Nelmio\SecurityBundle\ExternalRedirect\TargetValidator
interface to implement custom rules for the external_redirects feature. You can override thenelmio_security.external_redirect.target_validator
service to change the default. - Added a
hosts
key in the CSP configuration to restrict CSP-checks to some host names - Fixed a bug in
flexible_ssl
where the auth cookie was updated with a wrong expiration time the second time the visitor comes to the site. - Removed X-Webkit-CSP header as none of the webkits using it are still current.
- Added a
forced_ssl.hsts_preload
flag to allow adding the preload attribute on HSTS headers
- Added ability to have different configs for both reported and enforced CSP rules
- Added support for ALLOW and ALLOW-FROM syntaxes in the Clickjacking Protection
- Added support for HHVM and PHP 5.6
- Fixed enabling of cookie signing when the cookie list is empty
- Added default controller to log CSP violations
- Added a flag to remove outdated non-standard CSP headers and only send the
Content-Security-Policy
one
- Added support for setting the X-Content-Type-Options header
- Added Content-Security-Policy (CSP) 1.0 support
- Added forced_ssl.whitelist property to define URLs that do not need to be force-redirected
- Fixed session loss bug on 404 URLs in the CookieSessionHandler
- Added a cookie session storage (use only if really needed, and combine it with
encrypted_cookie
) - Fixed error reporting if mcrypt is not enabled and you try to use encryption
- Initial release