3.6.0 (2024-07-08)
3.5.0 (2024-07-03)
3.4.0 (2024-07-01)
3.3.1 (2024-06-12)
3.3.0 (2024-05-29)
3.2.0 (2024-01-04)
3.1.0 (2023-08-09)
3.0.0 (2023-05-10)
- drop Node.js < 14 support
features
- [
b97b2b2
] - feat: csrf cookie support cookieOptions (#80) (大木匠贰 <[email protected]>)
others
- [
4bb4741
] - 🐛 FIX: Add warning message onfalse
value config (#79) (fengmk2 <[email protected]>) - [
184d109
] - 📖 DOC: Add CONNECT method on CSRF default config (fengmk2 <[email protected]>)
features
- [
2d1b28f
] - feat: make csrf supported method configurable (#74) (Anemone95 <[email protected]>)
others
- [
59558fa
] - 🐛 FIX: Should detect all rules before ignore on CSRF (#78) (fengmk2 <[email protected]>) - [
61a5543
] - deps: use nanoid@3 (#77) (fengmk2 <[email protected]>)
fixes
- [
0b3fb1e
] - fix: should match script end tags like </script > (#76) (fengmk2 <[email protected]>)
others
- [
1cde817
] - 🤖 TEST: Run ci on GitHub Action (#75) (fengmk2 <[email protected]>) - [
23fef7d
] - Delete SECURITY.md (fengmk2 <[email protected]>) - [
f6aeb97
] - docs: Add Security Policy (fengmk2 <[email protected]>)
others
- [
9d80e90
] - add ssrf.ipExceptionList (#70) (shadyzoz <[email protected]>) - [
79c38e0
] - docs: fix typos (#68) (viko16 <[email protected]>)
features
- [
a9aff4f
] - feat: csrf support any, fix isSafeDomain bug (#67) (Yiyu He <[email protected]>) - [
beeded1
] - feat: config.cookieName support array (#66) (Yiyu He <[email protected]>)
others
- [
5bd4719
] - test: content-length should not be empty string (pusongyang <[email protected]>) - [
def5bfa
] - docs: typos & optimization (#63) (吖猩 <[email protected]>)
fixes
- [
ef0e439
] - fix(security): use new URL instead of url.parse (#62) (Yiyu He <[email protected]>)
features
- [
f03aeed
] - feat: add escapeShellArg and escapeShellCmd (#60) (p0sec <[email protected]>)
others
- [
22b155f
] - style: fix document (#59) (刘放 <[email protected]>)
fixes
- [
b72a1eb
] - fix: csrf false check (#58) (吖猩 <[email protected]>)
features
- [
a1b8e00
] - feat: csrf support referer type (#56) (吖猩 <[email protected]>)
others
- [
1890644
] - chore: show contributors on README (#55) (fengmk2 <[email protected]>)
others
- [
4fcadc4
] - deps: update packs and ignore lock file (#54) (Maledong <[email protected]>) - [
5772242
] - test: use expectLog to assert log (#53) (fengmk2 <[email protected]>)
fixes
- [
b80202f
] - fix: make sure domain is string before use it (#52) (fengmk2 <[email protected]>)
fixes
- [
ad21465
] - fix: fix referrer-policy enum check (#50) (Century Guo <[email protected]>)
- fix: shtml check domainWhiteList hostname get null (#49)
others
- [
57bc4d9
] - bug (methodnoallow): Fix for 'OPTIONS
not allowed' (#40) (Maledong <[email protected]>) - [
8ead61e
] - chore: improve npm scripts (#48) (Maledong <[email protected]>) - [
817d114
] - doc (README.zh-CN.md, README.md): Fix typos and add missing trans (#45) (Maledong <[email protected]>)
fixes
- [
8997866
] - fix: preprocess config in app.js (#46) (Yiyu He <[email protected]>)
others
- [
9baf72e
] - chore (shtml,cliFilter,sjs,README): Modifications of files (#47) (Maledong <[email protected]>)
fixes
- [
835eff5
] - Fix: Makedomain
andwhiteList
,protocalWhiteList
case insensitive (Maledong <[email protected]>) - [
81f757a
] - fix: use faster non-secure ID generator (#43) (Andrey Sitnik <[email protected]>)
others
- [
72e7ceb
] - utils (isSafeDomain): Usematcher
to check for a wild character of a (#42) (Maledong <[email protected]>) - [
a7035cf
] - doc: Translate from Chinese into English for several files for their comments (#41) (Maledong <[email protected]>)
fixes
- [
b5e1741
] - fix: disable nosniff on redirect status (#38) (fengmk2 <[email protected]>)
fixes
- [
dbc9a44
] - fix: format illegal url (#36) (Yiyu He <[email protected]>)
others
- [
9676127
] - docs: update warning infomation for ignoreJSON (#35) (Haoliang Gao <[email protected]>)
others
- [
e6e5e65
] - docs: fix SSRF link (#34) (Haoliang Gao <[email protected]>)
features
- [
eba4555
] - feat: support safeCurl for SSRF protection (#32) (Yiyu He <[email protected]>)
fixes
- [
abc33d1
] - fix: deprecate ignoreJSON (#30) (Yiyu He <[email protected]>)
others
- [
4f045a0
] - deps: add missing dependencies ip (dead-horse <[email protected]>)
features
- [
97f372c
] - feat: add RefererPolicy support (#27) (Adams <[email protected]>)
others
- [
76bd83f
] - chore:bump to 2.0.1 (jtyjty99999 <[email protected]>),
- fix: absolute path detect should ignore evil path (#28)
others
- [
0ec7d2f
] - refactor: use async function and support egg@2 (#25) (Yiyu He <[email protected]>)
others
- [
870a7e2
] - fix(csrf): ignore json request even body not exist (#23) (Yiyu He <[email protected]>)
- feat: make session plugin optional (#22)
- feat: add global path blocking to avoid directory traversal attack (#19)
- fix: should not assert csrf when path match ignore (#20)
- docs: fix License url (#18)
- feat: config.security.csrf.cookieDomain can be function (#17)
- feat: use egg-path-matching to support fn (#15)
- feat:support muiltiple query/body key to valid csrf token (#14)
- feat: add ctx.rotateCsrfToken (#13)
- refactor: add csrf faq url to error msg in local env (#12)
- feat: surl support protocol whitelist (#11)
- refactor: rewrite csrf (#10)
- feat: support hash link in shtml (#7)
- test: fix test (#8)
- fix: make sure every middleware has name (#6)
- feat: disable hsts for default (#5)
- refactor: remove ctoken, csrf check all post/put/.. requests (#4)
- fix: lower case header will get better performance (#3)
- refactor: use setRawHeader
- First version