- Breaking:
Strict-Transport-Securitynow has a max-age of 365 days, up from 180 - Breaking:
Content-Security-Policymiddleware now throws an error if a directive should have quotes but does not, such asselfinstead of'self'. See #454 - Breaking:
Content-Security-Policy'sgetDefaultDirectivesnow returns a deep copy. This only affects users who were mutating the result - Breaking:
Strict-Transport-Securitynow throws an error when "includeSubDomains" option is misspelled. This was previously a warning
- Breaking: Drop support for Node 16 and 17. Node 18+ is now required
Content-Security-Policymiddleware now warns if a directive should have quotes but does not, such asselfinstead of'self'. This will be an error in future versions. See #454
helmet.crossOriginEmbedderPolicynow supports theunsafe-nonedirective. See #477
- Breaking:
Cross-Origin-Embedder-Policymiddleware is now disabled by default. See #411
- Breaking: Drop support for Node 14 and 15. Node 16+ is now required
- Breaking:
Expect-CTis no longer part of Helmet. If you still need it, you can use theexpect-ctpackage. See #378
- Expose header names (e.g.,
strictTransportSecurityfor theStrict-Transport-Securityheader, instead ofhsts) - Rework documentation
- Fixed yet another issue with TypeScript exports. See #420
- Fix another issue with TypeScript default exports. See #418
- Fix issue with TypeScript default exports. See #417
- Retored
mainto package to help with some build tools
- Fixed missing package metadata
- Improve support for various TypeScript setups, including "nodenext". See #405
crossOriginEmbedderPolicydid not accept options at the top level. See #390
- Breaking:
helmet.contentSecurityPolicyno longer setsblock-all-mixed-contentdirective by default - Breaking:
helmet.expectCtis no longer set by default. It can, however, be explicitly enabled. It will be removed in Helmet 7. See #310 - Breaking: Increase TypeScript strictness around some arguments. Only affects TypeScript users, and may not require any code changes. See #369
helmet.frameguardno longer offers a specific error when trying to useALLOW-FROM; it just says that it is unsupported. Only the error message has changed
- Breaking: Dropped support for Node 12 and 13. Node 14+ is now required
Cross-Origin-Embedder-Policy: supportcredentiallesspolicy. See #365- Documented how to set both
Content-Security-PolicyandContent-Security-Policy-Report-Only
- Cleaned up some documentation around
Origin-Agent-Cluster
- Improve imports for CommonJS and ECMAScript modules. See #345
- Fixed some documentation
- Fixed some documentation
- Removed some unused internal code
- ECMAScript module imports (i.e.,
import helmet from "helmet"andimport { frameguard } from "helmet"). See #320
- Breaking:
helmet.contentSecurityPolicy:useDefaultsoption now defaults totrue - Breaking:
helmet.contentSecurityPolicy:form-actiondirective is now set to'self'by default - Breaking:
helmet.crossOriginEmbedderPolicyis enabled by default - Breaking:
helmet.crossOriginOpenerPolicyis enabled by default - Breaking:
helmet.crossOriginResourcePolicyis enabled by default - Breaking:
helmet.originAgentClusteris enabled by default helmet.frameguard: add TypeScript editor autocomplete. See #322- Top-level
helmet()function is slightly faster
- Breaking: Drop support for Node 10 and 11. Node 12+ is now required
helmet.contentSecurityPolicy: theuseDefaultsoption, defaulting tofalse, lets you selectively override defaults more easily- Explicitly define TypeScript types in
package.json. See #303
helmet.crossOriginEmbedderPolicy: a new middleware for theCross-Origin-Embedder-Policyheader, disabled by defaulthelmet.crossOriginOpenerPolicy: a new middleware for theCross-Origin-Opener-Policyheader, disabled by defaulthelmet.crossOriginResourcePolicy: a new middleware for theCross-Origin-Resource-Policyheader, disabled by default
trueenables a middleware with default options. Previously, this would fail with an error if the middleware was already enabled by default.- Log a warning when passing options to
originAgentClusterat the top level
- Incorrect documentation
- Shrink the published package by about 2.5 kB
helmet.originAgentCluster: a new middleware for theOrigin-Agent-Clusterheader, disabled by default
helmet.contentSecurityPolicy: broken TypeScript types. See #283
helmet.contentSecurityPolicy: setting thedefault-srctohelmet.contentSecurityPolicy.dangerouslyDisableDefaultSrcdisables it
helmet.frameguard: slightly improved error messages for non-strings
helmet.contentSecurityPolicy: get the default directives withcontentSecurityPolicy.getDefaultDirectives()
helmet()now supports objects that don't haveObject.prototypein their chain, such asObject.create(null), as optionshelmet.expectCt:max-ageis now first. See #264
- Fixed a few errors in the README
helmet.contentSecurityPolicy:- Directive values can now include functions, as they could in Helmet 3. See #243
- Helmet should now play more nicely with TypeScript
- The
HelmetOptionsinterface is no longer exported. This only affects TypeScript users. If you need the functionality back, see this comment
See the Helmet 4 upgrade guide for help upgrading from Helmet 3.
helmet.contentSecurityPolicy:- If no
default-srcdirective is supplied, an error is thrown - Directive lists can be any iterable, not just arrays
- If no
- This package no longer has dependencies. This should have no effect on end users, other than speeding up installation time.
helmet.contentSecurityPolicy:- There is now a default set of directives if none are supplied
- Duplicate keys now throw an error. See helmetjs/csp#73
- This middleware is more lenient, allowing more directive names or values
helmet.xssFilternow disables the buggy XSS filter by default. See #230
- Dropped support for old Node versions. Node 10+ is now required
helmet.featurePolicy. If you still need it, use thefeature-policypackage on npm.helmet.hpkp. If you still need it, use thehpkppackage on npm.helmet.noCache. If you still need it, use thenocachepackage on npm.helmet.contentSecurityPolicy:- Removed browser sniffing (including the
browserSniffanddisableAndroidparameters). See helmetjs/csp#97 - Removed conditional support. This includes directive functions and support for a function as the
reportOnly. Read this if you need help. - Removed a lot of checks—you should be checking your CSP with a different tool
- Removed support for legacy headers (and therefore the
setAllHeadersparameter). Read this if you need help. - Removed the
looseoption - Removed support for functions as directive values. You must supply an iterable of strings
- Removed browser sniffing (including the
helmet.frameguard:- Dropped support for the
ALLOW-FROMaction. Read more here.
- Dropped support for the
helmet.hidePoweredByno longer accepts arguments. See this article to see how to replicate the removed behavior. See #224.helmet.hsts:- Dropped support for
includeSubdomainswith a lowercase D. See #231 - Dropped support for
setIf. Read this if you need help. See #232
- Dropped support for
helmet.xssFilterno longer accepts options. Read "How to disable blocking with X-XSS-Protection" and "How to enable thereportdirective with X-XSS-Protection" if you need the legacy behavior.
helmet.expectCtis no longer a separate package. This should have no effect on end users.helmet.frameguardis no longer a separate package. This should have no effect on end users.
helmet.dnsPrefetchControlis no longer a separate package. This should have no effect on end users.
helmet.ieNoOpenis no longer a separate package. This should have no effect on end users.
helmet.featurePolicyis deprecated. Use thefeature-policymodule instead.
- Rewrote internals in TypeScript. This should have no effect on end users.
- Updated
helmet-cspto v2.10.0- Add support for the
allow-downloadssandbox directive. See helmet-csp#103
- Add support for the
helmet.noCacheis deprecated. Use thenocachemodule instead. See #215
- Updated
helmet-cspto v2.9.5- Updated
bowsersubdependency from 2.7.0 to 2.9.0 - Fixed an issue some people were having when importing the
bowsersubdependency. See helmet-csp#96 and #101
- Updated
- Updated
helmet-cspto v2.9.4- Updated
bowsersubdependency from 2.6.1 to 2.7.0. See helmet-csp#94
- Updated
- Updated
helmet-cspto v2.9.2- Fixed a bug where a request from Firefox 4 could delete
default-srcfrom future responses - Fixed tablet PC detection by updating
bowsersubdependency to latest version
- Fixed a bug where a request from Firefox 4 could delete
- Updated
x-xss-protectionto v1.3.0- Added
mode: nullto disablemode=block
- Added
- Updated
helmet-cspto v2.9.1- Updated
bowsersubdependency from 2.5.3 to 2.5.4. See helmet-csp#88
- Updated
- Updated
helmet-cspto v2.9.0
- Updated
helmet-cspto v2.8.0
- Updated
dns-prefetch-controlto v0.2.0 - Updated
dont-sniff-mimetypeto v1.1.0 - Updated
helmet-crossdomainto v0.4.0 - Updated
hide-powered-byto v1.1.0 - Updated
x-xss-protectionto v1.2.0
featurePolicyhas 19 new features:ambientLightSensor,documentDomain,documentWrite,encryptedMedia,fontDisplayLateSwap,layoutAnimations,legacyImageFormats,loadingFrameDefaultEager,oversizedImages,pictureInPicture,serial,syncScript,unoptimizedImages,unoptimizedLosslessImages,unoptimizedLossyImages,unsizedMedia,verticalScroll,wakeLock, andxr
- Updated
expect-ctto v0.2.0 - Updated
feature-policyto v0.3.0 - Updated
frameguardto v3.1.0 - Updated
nocacheto v2.1.0
referrerPolicynow supports multiple values
- Updated
referrerPolicyto v1.2.0
- Add email to
bugsfield inpackage.json
- Updated
hststo v2.2.0 - Updated
ienoopento v1.1.0 - Changelog is now in the Keep A Changelog format
- Dropped support for Node <4. See the commit for more information
- Updated Adam Baldwin's contact information
helmet.hsts'ssetIfoption has been deprecated and will be removed inhsts@3. See helmetjs/hsts#22 for more
- The
includeSubdomainsoption (with a lowercased) has been deprecated and will be removed inhsts@3. Use the uppercase-DincludeSubDomainsoption instead. See helmetjs/hsts#21 for more
- The
hpkpmiddleware has been deprecated. If you still need to use this module, install the standalonehpkpmodule from npm. See #180 for more.
helmet.featurePolicynow supports four new features
helmet.featurePolicymiddleware
helmet.permittedCrossDomainPoliciesmiddleware
- Removed
lodash.reducedependency fromcsp
expectCtshould use comma instead of semicolon as delimiter
xssFilternow supportsreportUrioption
- Main Helmet middleware is now named to help with debugging
cspnow supportsprefix-srcdirective
cspno longer loads JSON files internally, helping some module bundlersfalseshould be able to disable a CSP directive
cspnow supportsstrict-dynamicvaluecspnow supportsrequire-sri-fordirective
- Removed
connectdependency
- Updated
connectdependency to latest
cspdoes not automatically setreport-towhen settingreport-uri
hstsno longer cares whether it's HTTPS and always sets the header
cspnow supportsreport-todirective
- Throw an error when used incorrectly
- Add a few documentation files to
npmignore
- Bump
connectversion
expectCtmiddleware for setting theExpect-CTheader
cspnow supports theworker-srcdirective
- Bump
connectversion
cspnow supports moresandboxdirectives
referrerPolicyallowsstrict-originandstrict-origin-when-cross-origindirectives
- Bump
connectversion
cspnow allowsmanifest-srcdirective
cspnow allowsframe-srcdirective
cspwill check your directives for common mistakes and throw errors if it finds them. This can be disabled withloose: true.- Empty arrays are no longer allowed in
csp. For source lists (likescript-srcorobject-src), use the standardscriptSrc: ["'none'"]. Thesandboxdirective can besandbox: trueto block everything. falsecan disable a CSP directive. For example,scriptSrc: falseis the same as not specifying it.- In CSP,
reportOnly: trueno longer requires areport-urito be set. hsts'smaxAgenow defaults to 180 days (instead of 1 day)hsts'smaxAgeparameter is seconds, not millisecondshstsincludes subdomains by defaultdomainparameter inframeguardcannot be empty
noEtagoption no longer present innoCache- iOS Chrome
connect-srcworkaround in CSP module
hpkpmiddleware now supports theincludeSubDomainsproperty with a capital D
hpkpwas settingincludeSubdomainsinstead ofincludeSubDomains
referrerPolicymiddleware
- Top-level aliases (like
helmet.xssFilter) are no longer dynamically required
nocache'snoEtagoption is now deprecated
cspnow better handles Firefox on mobile
- Remove several dependencies from
helmet-csp
frameguardhad a documentation error about its default valueframeguarddocs in main Helmet readme saidframeguard, nothelmet.frameguard
csplets you dynamically setreportOnly
- Pass configuration to enable/disable default middlewares
dnsPrefetchControlmiddleware is now enabled by default
- No more module aliases. There is now just one way to include each middleware
frameguardcan no longer be initialized with strings; you must use an object
- Make
hpkplowercase in documentation - Update
hpkpspec URL in readmes - Update
frameguardheader name in readme
hpkphas asetIfoption to conditionally set the header
cspnow has abrowserSniffoption to disable all user-agent sniffing
frameguardcan now be initialized with options- Add
npmignorefile to speed up installs slightly
- Code of conduct
dnsPrefetchControlmiddleware
cspreadme had syntax errors
cspwouldn't recognizeIE Mobilebrowserscsphad some errors in its readme- Main readme had a syntax error
cspwith no User Agent would cause errors
cspmodule supports dynamically-generated values
cspdirectives are now under thedirectiveskeyhpkp'sReport-Onlyheader is now opt-in, not opt-out- Tweak readmes of every sub-repo
crossdomainmiddlewarecspno longer throws errors when some directives aren't quoted ('self', for example)maxageoption in thehpkpmiddlewaresafari5option fromcspmodule
- Old Firefox Content-Security-Policy behavior for
unsafe-inlineandunsafe-eval - Dynamic
csppolicies is no longer recursive
hpkpallows areport-uriwithout theReport-Onlyheader
nocachenow sends theSurrogate-Controlheader
nocacheno longer contains theprivatedirective in theCache-Controlheader
xssFilternow has a function name- Added new CSP docs to readme
- HSTS option renamed from
includeSubdomainstoincludeSubDomains
cspnow supports Microsoft Edge- CSP Level 2 support
- Updated
connectto 3.4.0 - Updated
depdto 1.1.0
- Added
licensekey tocsp'spackage.json - Empty
cspdirectives now support every directive, not justsandbox
- Add "Handling CSP violations" to
cspreadme - Add license to
package.json
hpkphad a link to the wrong place in its readmehpkprequires 2 or more pins
hpkpmight have miscalculatedmaxAgeslightly wrong
nocacheaddsprivateto itsCache-Controldirective- Added a description to
package.json
- Removed hefty Lodash dependency from HSTS and CSP
- Updated string detection module in Frameguard
- Changed readme slightly to better reflect project's focus
- Deprecated
crossdomainmiddleware
crossdomainis no longer a default middleware
- Updated all outdated dependencies (insofar as possible)
- HSTS now uses Lodash like all the rest of the libraries
hpkpmiddleware
- Travis CI should test 0.10 and 0.12
- Minor code cleanup
- Improved
xssFilterperformance - Updated Lodash versions
- "Other recommended modules" in README
- Updated Lodash version
frameguardmiddleware exported a function calledxframe
- You can disable
cspfor Android
cspon Chrome Mobile on Android and iOS
nocacheshould force revalidation
platformversion in CSP and X-XSS-Protection
- Updated bad wording in frameguard docs
- Updated Connect version
- Fixed minor
cspbugfixes
- Updated URLs in
package.jsonfor new URL
- CSP would set all headers forever after receiving an unknown user agent
- Most middlewares have some aliases now
xframenow calledframeguard(thoughxframestill works)frameguardchooses sameorigin by defaultframeguardunderstands "SAME-ORIGIN" in addition to "SAMEORIGIN"nocacheremoved from default middleware stack- Middleware split out into their own modules
- Documentation
- Updated supported Node version to at least 0.10.0
- Bumped Connect version
- Deprecation warnings
- Readme link was broken
- Support preload in HSTS header
- Use helmet-crossdomain to test the waters
- 2 spaces instead of 4 throughout the code
nocachenow sets the Expires and Pragma headersnocachenow allows you to crush ETags
- Improved the docs for nosniff
- Reverted HSTS behavior of requiring a specified max-age
- Allow HSTS to have a max-age of 0
- All middleware functions are named
- Throw error with non-positive HSTS max-age
- Added semicolons in README
- Make some Errors more specific
- Removed all comment headers; refer to the readme
helmet()was having issues- Fixed Syntax errors in README
This changelog was created after the release of 0.3.1.