- Breaking:
helmet.contentSecurityPolicy
no longer setsblock-all-mixed-content
directive by default - Breaking:
helmet.expectCt
is no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See #310 - Breaking: Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See #369
helmet.frameguard
no longer offers a specific error when trying to useALLOW-FROM
; it just says that it is unsupported. Only the error message has changed
- Breaking: Dropped support for Node 12 and 13. Node 14+ is now required
Cross-Origin-Embedder-Policy
: supportcredentialless
policy. See #365- Documented how to set both
Content-Security-Policy
andContent-Security-Policy-Report-Only
- Cleaned up some documentation around
Origin-Agent-Cluster
- Improve imports for CommonJS and ECMAScript modules. See #345
- Fixed some documentation
- Fixed some documentation
- Removed some unused internal code
- ECMAScript module imports (i.e.,
import helmet from "helmet"
andimport { frameguard } from "helmet"
). See #320
- Breaking:
helmet.contentSecurityPolicy
:useDefaults
option now defaults totrue
- Breaking:
helmet.contentSecurityPolicy
:form-action
directive is now set to'self'
by default - Breaking:
helmet.crossOriginEmbedderPolicy
is enabled by default - Breaking:
helmet.crossOriginOpenerPolicy
is enabled by default - Breaking:
helmet.crossOriginResourcePolicy
is enabled by default - Breaking:
helmet.originAgentCluster
is enabled by default helmet.frameguard
: add TypeScript editor autocomplete. See #322- Top-level
helmet()
function is slightly faster
- Breaking: Drop support for Node 10 and 11. Node 12+ is now required
helmet.contentSecurityPolicy
: theuseDefaults
option, defaulting tofalse
, lets you selectively override defaults more easily- Explicitly define TypeScript types in
package.json
. See #303
helmet.crossOriginEmbedderPolicy
: a new middleware for theCross-Origin-Embedder-Policy
header, disabled by defaulthelmet.crossOriginOpenerPolicy
: a new middleware for theCross-Origin-Opener-Policy
header, disabled by defaulthelmet.crossOriginResourcePolicy
: a new middleware for theCross-Origin-Resource-Policy
header, disabled by default
true
enables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default.- Log a warning when passing options to
originAgentCluster
at the top level
- Incorrect documentation
- Shrink the published package by about 2.5 kB
helmet.originAgentCluster
: a new middleware for theOrigin-Agent-Cluster
header, disabled by default
helmet.contentSecurityPolicy
: broken TypeScript types. See #283
helmet.contentSecurityPolicy
: setting thedefault-src
tohelmet.contentSecurityPolicy.dangerouslyDisableDefaultSrc
disables it
helmet.frameguard
: slightly improved error messages for non-strings
helmet.contentSecurityPolicy
: get the default directives withcontentSecurityPolicy.getDefaultDirectives()
helmet()
now supports objects that don't haveObject.prototype
in their chain, such asObject.create(null)
, as optionshelmet.expectCt
:max-age
is now first. See #264
- Fixed a few errors in the README
helmet.contentSecurityPolicy
:- Directive values can now include functions, as they could in Helmet 3. See #243
- Helmet should now play more nicely with TypeScript
- The
HelmetOptions
interface is no longer exported. This only affects TypeScript users. If you need the functionality back, see this comment
See the Helmet 4 upgrade guide for help upgrading from Helmet 3.
helmet.contentSecurityPolicy
:- If no
default-src
directive is supplied, an error is thrown - Directive lists can be any iterable, not just arrays
- If no
- This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
helmet.contentSecurityPolicy
:- There is now a default set of directives if none are supplied
- Duplicate keys now throw an error. See helmetjs/csp#73
- This middleware is more lenient, allowing more directive names or values
helmet.xssFilter
now disables the buggy XSS filter by default. See #230
- Dropped support for old Node versions. Node 10+ is now required
helmet.featurePolicy
. If you still need it, use thefeature-policy
package on npm.helmet.hpkp
. If you still need it, use thehpkp
package on npm.helmet.noCache
. If you still need it, use thenocache
package on npm.helmet.contentSecurityPolicy
:- Removed browser sniffing (including the
browserSniff
anddisableAndroid
parameters). See helmetjs/csp#97 - Removed conditional support. This includes directive functions and support for a function as the
reportOnly
. Read this if you need help. - Removed a lot of checks—you should be checking your CSP with a different tool
- Removed support for legacy headers (and therefore the
setAllHeaders
parameter). Read this if you need help. - Removed the
loose
option - Removed support for functions as directive values. You must supply an iterable of strings
- Removed browser sniffing (including the
helmet.frameguard
:- Dropped support for the
ALLOW-FROM
action. Read more here.
- Dropped support for the
helmet.hidePoweredBy
no longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.helmet.hsts
:- Dropped support for
includeSubdomains
with a lowercase D. See #231 - Dropped support for
setIf
. Read this if you need help. See #232
- Dropped support for
helmet.xssFilter
no longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable thereport
directive with X-XSS-Protection" if you need the legacy behavior.
helmet.expectCt
is no longer a separate package. This should have no effect on end users.helmet.frameguard
is no longer a separate package. This should have no effect on end users.
helmet.dnsPrefetchControl
is no longer a separate package. This should have no effect on end users.
helmet.ieNoOpen
is no longer a separate package. This should have no effect on end users.
helmet.featurePolicy
is deprecated. Use thefeature-policy
module instead.
- Rewrote internals in TypeScript. This should have no effect on end users.
- Updated
helmet-csp
to v2.10.0- Add support for the
allow-downloads
sandbox directive. See helmet-csp#103
- Add support for the
helmet.noCache
is deprecated. Use thenocache
module instead. See #215
- Updated
helmet-csp
to v2.9.5- Updated
bowser
subdependency from 2.7.0 to 2.9.0 - Fixed an issue some people were having when importing the
bowser
subdependency. See helmet-csp#96 and #101
- Updated
- Updated
helmet-csp
to v2.9.4- Updated
bowser
subdependency from 2.6.1 to 2.7.0. See helmet-csp#94
- Updated
- Updated
helmet-csp
to v2.9.2- Fixed a bug where a request from Firefox 4 could delete
default-src
from future responses - Fixed tablet PC detection by updating
bowser
subdependency to latest version
- Fixed a bug where a request from Firefox 4 could delete
- Updated
x-xss-protection
to v1.3.0- Added
mode: null
to disablemode=block
- Added
- Updated
helmet-csp
to v2.9.1- Updated
bowser
subdependency from 2.5.3 to 2.5.4. See helmet-csp#88
- Updated
- Updated
helmet-csp
to v2.9.0
- Updated
helmet-csp
to v2.8.0
- Updated
dns-prefetch-control
to v0.2.0 - Updated
dont-sniff-mimetype
to v1.1.0 - Updated
helmet-crossdomain
to v0.4.0 - Updated
hide-powered-by
to v1.1.0 - Updated
x-xss-protection
to v1.2.0
featurePolicy
has 19 new features:ambientLightSensor
,documentDomain
,documentWrite
,encryptedMedia
,fontDisplayLateSwap
,layoutAnimations
,legacyImageFormats
,loadingFrameDefaultEager
,oversizedImages
,pictureInPicture
,serial
,syncScript
,unoptimizedImages
,unoptimizedLosslessImages
,unoptimizedLossyImages
,unsizedMedia
,verticalScroll
,wakeLock
, andxr
- Updated
expect-ct
to v0.2.0 - Updated
feature-policy
to v0.3.0 - Updated
frameguard
to v3.1.0 - Updated
nocache
to v2.1.0
referrerPolicy
now supports multiple values
- Updated
referrerPolicy
to v1.2.0
- Add email to
bugs
field inpackage.json
- Updated
hsts
to v2.2.0 - Updated
ienoopen
to v1.1.0 - Changelog is now in the Keep A Changelog format
- Dropped support for Node <4. See the commit for more information
- Updated Adam Baldwin's contact information
helmet.hsts
'ssetIf
option has been deprecated and will be removed inhsts@3
. See helmetjs/hsts#22 for more
- The
includeSubdomains
option (with a lowercased
) has been deprecated and will be removed inhsts@3
. Use the uppercase-DincludeSubDomains
option instead. See helmetjs/hsts#21 for more
- The
hpkp
middleware has been deprecated. If you still need to use this module, install the standalonehpkp
module from npm. See #180 for more.
helmet.featurePolicy
now supports four new features
helmet.featurePolicy
middleware
helmet.permittedCrossDomainPolicies
middleware
- Removed
lodash.reduce
dependency fromcsp
expectCt
should use comma instead of semicolon as delimiter
xssFilter
now supportsreportUri
option
- Main Helmet middleware is now named to help with debugging
csp
now supportsprefix-src
directive
csp
no longer loads JSON files internally, helping some module bundlersfalse
should be able to disable a CSP directive
csp
now supportsstrict-dynamic
valuecsp
now supportsrequire-sri-for
directive
- Removed
connect
dependency
- Updated
connect
dependency to latest
csp
does not automatically setreport-to
when settingreport-uri
hsts
no longer cares whether it's HTTPS and always sets the header
csp
now supportsreport-to
directive
- Throw an error when used incorrectly
- Add a few documentation files to
npmignore
- Bump
connect
version
expectCt
middleware for setting theExpect-CT
header
csp
now supports theworker-src
directive
- Bump
connect
version
csp
now supports moresandbox
directives
referrerPolicy
allowsstrict-origin
andstrict-origin-when-cross-origin
directives
- Bump
connect
version
csp
now allowsmanifest-src
directive
csp
now allowsframe-src
directive
csp
will check your directives for common mistakes and throw errors if it finds them. This can be disabled withloose: true
.- Empty arrays are no longer allowed in
csp
. For source lists (likescript-src
orobject-src
), use the standardscriptSrc: ["'none'"]
. Thesandbox
directive can besandbox: true
to block everything. false
can disable a CSP directive. For example,scriptSrc: false
is the same as not specifying it.- In CSP,
reportOnly: true
no longer requires areport-uri
to be set. hsts
'smaxAge
now defaults to 180 days (instead of 1 day)hsts
'smaxAge
parameter is seconds, not millisecondshsts
includes subdomains by defaultdomain
parameter inframeguard
cannot be empty
noEtag
option no longer present innoCache
- iOS Chrome
connect-src
workaround in CSP module
hpkp
middleware now supports theincludeSubDomains
property with a capital D
hpkp
was settingincludeSubdomains
instead ofincludeSubDomains
referrerPolicy
middleware
- Top-level aliases (like
helmet.xssFilter
) are no longer dynamically required
nocache
'snoEtag
option is now deprecated
csp
now better handles Firefox on mobile
- Remove several dependencies from
helmet-csp
frameguard
had a documentation error about its default valueframeguard
docs in main Helmet readme saidframeguard
, nothelmet.frameguard
csp
lets you dynamically setreportOnly
- Pass configuration to enable/disable default middlewares
dnsPrefetchControl
middleware is now enabled by default
- No more module aliases. There is now just one way to include each middleware
frameguard
can no longer be initialized with strings; you must use an object
- Make
hpkp
lowercase in documentation - Update
hpkp
spec URL in readmes - Update
frameguard
header name in readme
hpkp
has asetIf
option to conditionally set the header
csp
now has abrowserSniff
option to disable all user-agent sniffing
frameguard
can now be initialized with options- Add
npmignore
file to speed up installs slightly
- Code of conduct
dnsPrefetchControl
middleware
csp
readme had syntax errors
csp
wouldn't recognizeIE Mobile
browserscsp
had some errors in its readme- Main readme had a syntax error
csp
with no User Agent would cause errors
csp
module supports dynamically-generated values
csp
directives are now under thedirectives
keyhpkp
'sReport-Only
header is now opt-in, not opt-out- Tweak readmes of every sub-repo
crossdomain
middlewarecsp
no longer throws errors when some directives aren't quoted ('self'
, for example)maxage
option in thehpkp
middlewaresafari5
option fromcsp
module
- Old Firefox Content-Security-Policy behavior for
unsafe-inline
andunsafe-eval
- Dynamic
csp
policies is no longer recursive
hpkp
allows areport-uri
without theReport-Only
header
nocache
now sends theSurrogate-Control
header
nocache
no longer contains theprivate
directive in theCache-Control
header
xssFilter
now has a function name- Added new CSP docs to readme
- HSTS option renamed from
includeSubdomains
toincludeSubDomains
csp
now supports Microsoft Edge- CSP Level 2 support
- Updated
connect
to 3.4.0 - Updated
depd
to 1.1.0
- Added
license
key tocsp
'spackage.json
- Empty
csp
directives now support every directive, not justsandbox
- Add "Handling CSP violations" to
csp
readme - Add license to
package.json
hpkp
had a link to the wrong place in its readmehpkp
requires 2 or more pins
hpkp
might have miscalculatedmaxAge
slightly wrong
nocache
addsprivate
to itsCache-Control
directive- Added a description to
package.json
- Removed hefty Lodash dependency from HSTS and CSP
- Updated string detection module in Frameguard
- Changed readme slightly to better reflect project's focus
- Deprecated
crossdomain
middleware
crossdomain
is no longer a default middleware
- Updated all outdated dependencies (insofar as possible)
- HSTS now uses Lodash like all the rest of the libraries
hpkp
middleware
- Travis CI should test 0.10 and 0.12
- Minor code cleanup
- Improved
xssFilter
performance - Updated Lodash versions
- "Other recommended modules" in README
- Updated Lodash version
frameguard
middleware exported a function calledxframe
- You can disable
csp
for Android
csp
on Chrome Mobile on Android and iOS
nocache
should force revalidation
platform
version in CSP and X-XSS-Protection
- Updated bad wording in frameguard docs
- Updated Connect version
- Fixed minor
csp
bugfixes
- Updated URLs in
package.json
for new URL
- CSP would set all headers forever after receiving an unknown user agent
- Most middlewares have some aliases now
xframe
now calledframeguard
(thoughxframe
still works)frameguard
chooses sameorigin by defaultframeguard
understands "SAME-ORIGIN" in addition to "SAMEORIGIN"nocache
removed from default middleware stack- Middleware split out into their own modules
- Documentation
- Updated supported Node version to at least 0.10.0
- Bumped Connect version
- Deprecation warnings
- Readme link was broken
- Support preload in HSTS header
- Use helmet-crossdomain to test the waters
- 2 spaces instead of 4 throughout the code
nocache
now sets the Expires and Pragma headersnocache
now allows you to crush ETags
- Improved the docs for nosniff
- Reverted HSTS behavior of requiring a specified max-age
- Allow HSTS to have a max-age of 0
- All middleware functions are named
- Throw error with non-positive HSTS max-age
- Added semicolons in README
- Make some Errors more specific
- Removed all comment headers; refer to the readme
helmet()
was having issues- Fixed Syntax errors in README
This changelog was created after the release of 0.3.1.