Changelog

4.0.0 (2025-01-17)

⚠ BREAKING CHANGES

drop Node.js < 18.19.0 support

part of eggjs/egg#3644

eggjs/egg#5257

Summary by CodeRabbit

Based on the comprehensive changes, here are the updated release notes:

New Features
- Migrated security plugin to TypeScript.
- Enhanced type safety for security configurations.
- Improved middleware and helper utilities.
Introduced new middleware for handling Strict-Transport-Security, X-Frame-Options, and X-XSS-Protection headers.
- Added support for new security configurations and helper functions.
Breaking Changes
- Renamed package from egg-security to @eggjs/security.
- Dropped support for Node.js versions below 18.19.0.
- Restructured module exports and configurations.
- Removed several deprecated middleware and utility functions.
Security Improvements
- Updated CSRF, XSS, and SSRF protection mechanisms.
- Enhanced middleware for handling security headers.
- Refined configuration options for various security features.
Performance
- Modernized codebase with ES module syntax.
- Improved type definitions and module structure.
Enhanced test suite with TypeScript support and better resource management.

Features

support cjs and esm both by tshy (#101) (a11661f)

3.7.0 (2025-01-13)

Features

csrf support check origin header with referer type (#69) (2c950d3)

3.6.0 (2024-07-08)

Features

add hostnameExceptionList for ssrf (#100) (92a34f3)

3.5.0 (2024-07-03)

Features

add rotateWhenInvalid option for CSRF token (#98) (ae37c8f)

3.4.0 (2024-07-01)

Features

support SSRF check on useHttpClientNext = true (#96) (1d6bfff)

3.3.1 (2024-06-12)

Bug Fixes

use @eggjs/ip instead of ip (#95) (5e3ee95)

3.3.0 (2024-05-29)

Features

use ip@v2 (#93) (ffb761d)

3.2.0 (2024-01-04)

Features

CSRF cookies allow the use of signatures (#88) (da1b532)

3.1.0 (2023-08-09)

Features

context 中的 isSafeDomain() 函数增加自定义白名单参数 (#86) (a178552)

3.0.0 (2023-05-10)

⚠ BREAKING CHANGES

drop Node.js < 14 support

Features

upgrade deps to latest versions (#82) (c3ca817)

2.11.0 / 2022-07-20

features

[b97b2b2] - feat: csrf cookie support cookieOptions (#80) (大木匠贰 <damujiangr@aliyun.com>)

2.10.1 / 2022-04-10

others

[4bb4741] - 🐛 FIX: Add warning message on false value config (#79) (fengmk2 <fengmk2@gmail.com>)
[184d109] - 📖 DOC: Add CONNECT method on CSRF default config (fengmk2 <fengmk2@gmail.com>)

2.10.0 / 2022-04-05

features

[2d1b28f] - feat: make csrf supported method configurable (#74) (Anemone95 <x565178035@126.com>)

others

[59558fa] - 🐛 FIX: Should detect all rules before ignore on CSRF (#78) (fengmk2 <fengmk2@gmail.com>)
[61a5543] - deps: use nanoid@3 (#77) (fengmk2 <fengmk2@gmail.com>)

2.9.1 / 2022-03-29

fixes

[0b3fb1e] - fix: should match script end tags like </script > (#76) (fengmk2 <fengmk2@gmail.com>)

others

[1cde817] - 🤖 TEST: Run ci on GitHub Action (#75) (fengmk2 <fengmk2@gmail.com>)
[23fef7d] - Delete SECURITY.md (fengmk2 <fengmk2@gmail.com>)
[f6aeb97] - docs: Add Security Policy (fengmk2 <fengmk2@gmail.com>)

2.9.0 / 2021-04-21

others

[9d80e90] - add ssrf.ipExceptionList (#70) (shadyzoz <shadyzoz@icloud.com>)
[79c38e0] - docs: fix typos (#68) (viko16 <viko16@users.noreply.github.com>)

2.8.0 / 2020-04-16

features

[a9aff4f] - feat: csrf support any, fix isSafeDomain bug (#67) (Yiyu He <dead_horse@qq.com>)
[beeded1] - feat: config.cookieName support array (#66) (Yiyu He <dead_horse@qq.com>)

others

[5bd4719] - test: content-length should not be empty string (pusongyang <ukyo.pu@gmail.com>)
[def5bfa] - docs: typos & optimization (#63) (吖猩 <whx89768@alibaba-inc.com>)

2.7.1 / 2019-11-14

fixes

[ef0e439] - fix(security): use new URL instead of url.parse (#62) (Yiyu He <dead_horse@qq.com>)

2.7.0 / 2019-10-25

features

[f03aeed] - feat: add escapeShellArg and escapeShellCmd (#60) (p0sec <7829373@qq.com>)

others

[22b155f] - style: fix document (#59) (刘放 <brizer@users.noreply.github.com>)

2.6.1 / 2019-08-09

fixes

[b72a1eb] - fix: csrf false check (#58) (吖猩 <whxaxes@gmail.com>)

2.6.0 / 2019-08-09

features

[a1b8e00] - feat: csrf support referer type (#56) (吖猩 <whxaxes@gmail.com>)

others

[1890644] - chore: show contributors on README (#55) (fengmk2 <fengmk2@gmail.com>)

2.5.0 / 2019-03-08

others

[4fcadc4] - deps: update packs and ignore lock file (#54) (Maledong <maledong_github@outlook.com>)
[5772242] - test: use expectLog to assert log (#53) (fengmk2 <fengmk2@gmail.com>)

2.4.3 / 2019-02-19

fixes

[b80202f] - fix: make sure domain is string before use it (#52) (fengmk2 <fengmk2@gmail.com>)

2.4.2 / 2019-01-04

fixes

[ad21465] - fix: fix referrer-policy enum check (#50) (Century Guo <648772021@qq.com>)

2.4.1 / 2018-11-15

fix: shtml check domainWhiteList hostname get null (#49)

2.4.0 / 2018-08-24

others

[57bc4d9] - bug (methodnoallow): Fix for 'OPTIONS not allowed' (#40) (Maledong <maledong_github@outlook.com>)
[8ead61e] - chore: improve npm scripts (#48) (Maledong <maledong_github@outlook.com>)
[817d114] - doc (README.zh-CN.md, README.md): Fix typos and add missing trans (#45) (Maledong <maledong_github@outlook.com>)

2.3.1 / 2018-08-16

fixes

[8997866] - fix: preprocess config in app.js (#46) (Yiyu He <dead_horse@qq.com>)

others

[9baf72e] - chore (shtml,cliFilter,sjs,README): Modifications of files (#47) (Maledong <maledong_github@outlook.com>)

2.3.0 / 2018-08-14

fixes

[835eff5] - Fix: Make domain and whiteList, protocalWhiteList case insensitive (Maledong <maledong_github@outlook.com>)
[81f757a] - fix: use faster non-secure ID generator (#43) (Andrey Sitnik <andrey@sitnik.ru>)

others

[72e7ceb] - utils (isSafeDomain): Use matcher to check for a wild character of a (#42) (Maledong <maledong_github@outlook.com>)
[a7035cf] - doc: Translate from Chinese into English for several files for their comments (#41) (Maledong <maledong_github@outlook.com>)

2.2.3 / 2018-07-11

fixes

[b5e1741] - fix: disable nosniff on redirect status (#38) (fengmk2 <fengmk2@gmail.com>)

2.2.2 / 2018-04-12

fixes

[dbc9a44] - fix: format illegal url (#36) (Yiyu He <dead_horse@qq.com>)

others

[9676127] - docs: update warning infomation for ignoreJSON (#35) (Haoliang Gao <sakura9515@gmail.com>)

2.2.1 / 2018-03-28

others

[e6e5e65] - docs: fix SSRF link (#34) (Haoliang Gao <sakura9515@gmail.com>)

2.2.0 / 2018-03-27

features

[eba4555] - feat: support safeCurl for SSRF protection (#32) (Yiyu He <dead_horse@qq.com>)

fixes

[abc33d1] - fix: deprecate ignoreJSON (#30) (Yiyu He <dead_horse@qq.com>)

others

[4f045a0] - deps: add missing dependencies ip (dead-horse <dead_horse@qq.com>)

2.1.0 / 2018-03-14

features

[97f372c] - feat: add RefererPolicy support (#27) (Adams <jtyjty99999@126.com>)

others

[76bd83f] - chore:bump to 2.0.1 (jtyjty99999 <jtyjty99999@126.com>),

2.0.1 / 2018-03-14

fix: absolute path detect should ignore evil path (#28)

2.0.0 / 2017-11-10

others

[0ec7d2f] - refactor: use async function and support egg@2 (#25) (Yiyu He <dead_horse@qq.com>)

1.12.1 / 2017-08-03

others

[870a7e2] - fix(csrf): ignore json request even body not exist (#23) (Yiyu He <dead-horse@users.noreply.github.com>)

1.12.0 / 2017-07-19

feat: make session plugin optional (#22)

1.11.0 / 2017-06-19

feat: add global path blocking to avoid directory traversal attack (#19)

1.10.2 / 2017-06-14

fix: should not assert csrf when path match ignore (#20)

1.10.1 / 2017-06-04

docs: fix License url (#18)

1.10.0 / 2017-05-09

feat: config.security.csrf.cookieDomain can be function (#17)

1.9.0 / 2017-03-28

feat: use egg-path-matching to support fn (#15)

1.8.0 / 2017-03-07

feat:support muiltiple query/body key to valid csrf token (#14)

1.7.0 / 2017-03-07

feat: add ctx.rotateCsrfToken (#13)

1.6.0 / 2017-02-20

refactor: add csrf faq url to error msg in local env (#12)

1.5.0 / 2017-02-17

feat: surl support protocol whitelist (#11)

1.4.0 / 2017-01-22

refactor: rewrite csrf (#10)

1.3.0 / 2016-12-28

feat: support hash link in shtml (#7)
test: fix test (#8)

1.2.1 / 2016-09-01

fix: make sure every middleware has name (#6)

1.2.0 / 2016-08-31

feat: disable hsts for default (#5)

1.1.0 / 2016-08-31

refactor: remove ctoken, csrf check all post/put/.. requests (#4)

1.0.3 / 2016-08-30

fix: lower case header will get better performance (#3)

1.0.2 / 2016-08-29

refactor: use setRawHeader

1.0.1 / 2016-08-21

First version

Files

CHANGELOG.md

Latest commit

History

CHANGELOG.md

File metadata and controls

Changelog

4.0.0 (2025-01-17)

⚠ BREAKING CHANGES

Summary by CodeRabbit

Features

3.7.0 (2025-01-13)

Features

3.6.0 (2024-07-08)

Features

3.5.0 (2024-07-03)

Features

3.4.0 (2024-07-01)

Features

3.3.1 (2024-06-12)

Bug Fixes

3.3.0 (2024-05-29)

Features

3.2.0 (2024-01-04)

Features

3.1.0 (2023-08-09)

Features

3.0.0 (2023-05-10)

⚠ BREAKING CHANGES

Features

2.11.0 / 2022-07-20

2.10.1 / 2022-04-10

2.10.0 / 2022-04-05

2.9.1 / 2022-03-29

2.9.0 / 2021-04-21

2.8.0 / 2020-04-16

2.7.1 / 2019-11-14

2.7.0 / 2019-10-25

2.6.1 / 2019-08-09

2.6.0 / 2019-08-09

2.5.0 / 2019-03-08

2.4.3 / 2019-02-19

2.4.2 / 2019-01-04

2.4.1 / 2018-11-15

2.4.0 / 2018-08-24

2.3.1 / 2018-08-16

2.3.0 / 2018-08-14

2.2.3 / 2018-07-11

2.2.2 / 2018-04-12

2.2.1 / 2018-03-28

2.2.0 / 2018-03-27

2.1.0 / 2018-03-14

2.0.1 / 2018-03-14

2.0.0 / 2017-11-10

1.12.1 / 2017-08-03

1.12.0 / 2017-07-19

1.11.0 / 2017-06-19

1.10.2 / 2017-06-14

1.10.1 / 2017-06-04

1.10.0 / 2017-05-09

1.9.0 / 2017-03-28

1.8.0 / 2017-03-07

1.7.0 / 2017-03-07

1.6.0 / 2017-02-20

1.5.0 / 2017-02-17

1.4.0 / 2017-01-22

1.3.0 / 2016-12-28

1.2.1 / 2016-09-01

1.2.0 / 2016-08-31

1.1.0 / 2016-08-31

1.0.3 / 2016-08-30

1.0.2 / 2016-08-29

1.0.1 / 2016-08-21