- 8.0.0 (2024-10-13)
- Support
X-DNS-Prefetch-Control
header. - Support
clientHints
forClear-Site-Data
header. - Support
Reporting-Endpoints
andNEL
headers. (#49) - Update directives for
Content-Security-Policy
header.- The following directives were updated:
sandbox
trusted-types
- The following directives were added:
fenced-frame-src
- The following directives were removed:
navigate-to
plugin-types
- The following directives were updated:
- Update directives for
Permissions-Policy
header.- The following directives were added:
attribution-reporting
bluetooth
browsing-topics
compute-pressure
gamepad
hid
identity-credentials-get
idle-detection
local-fonts
otp-credentials
publickey-credentials-create
serial
speaker-selection
storage-access
window-management
- The following directives were removed:
battery
execution-while-not-rendered
execution-while-out-of-viewport
navigation-override
sync-xhr
- The following directives were added:
- Support
-
7.5.0 (2024-03-14)
- Support Laravel 11
-
7.4.0 (2023-02-07)
- Support Laravel 10
-
7.3.0 (2022-11-20)
-
7.2.0 (2022-02-10)
- Support Laravel 9
-
7.1.0 (2020-12-12)
- Add
csp_nonce
helper function, it is alias ofBepsvpt\SecureHeaders\SecureHeaders::nonce
method.
- Add
-
7.0.0 (2020-10-14)
- BREAKING CHANGE
Feature-Policy
was replaced withPermissions-Policy
.
- BREAKING CHANGE
-
6.3.0 (2020-09-07)
- Support Laravel 8
-
6.2.0 (2020-08-09)
- Support Permissions-Policy without breaking change.
-
6.1.0 (2020-07-27)
- Fix X-Powered-By header name. (#50)
-
6.0.1 (2020-04-15)
- Fix nonces are not cleared. (#46)
-
6.0.0 (2020-03-07)
- BREAKING CHANGE
- Lumen project does not automatically add SecureHeadersMiddleware to global middleware.
- Remove HPKP (Public Key Pinning mechanism was deprecated in favor of Certificate Transparency and Expect-CT header)
- Feature-Policy remove
speaker
andvr
directives - Disable HSTS preload by default (#42)
- Content-Security-Policy remove
custom-csp
key - Content-Security-Policy empty directive config will just be omitted(before 6.0 was set to
'none'
). - Content-Security-Policy directive keyword
unsafe-hashed-attributes
is replaced byunsafe-hashes
- Content-Security-Policy directive
nonces
array had removed(according to RFC, it should generate a unique nonce value each time. Thus, it should not setup by user). SecureHeaders::nonce
method requires one parameter now, it should be'script'
or'style'
(default is'script'
).
- Content-Security-Policy directive
add-generated-nonce
key was removed, it is no longer needed. - Content-Security-Policy supports following directives:
report-to
,child-src
,navigate-to
,prefetch-src
,require-trusted-types-for
,script-src-attr
,script-src-elem
,style-src-attr
,style-src-elem
,trusted-types
- Feature-Policy supports following directives:
battery
,execution-while-not-rendered
,execution-while-out-of-viewport
,layout-animations
,legacy-image-formats
,navigation-override
,oversized-images
,publickey-credentials
,unoptimized-images
,unsized-media
,wake-lock
,xr-spatial-tracking
- BREAKING CHANGE
-
5.6.0 (2020-03-05)
- Support Laravel 7.0
-
5.5.0 (2019-09-07)
- Support Laravel 6.0
- Support X-Power-By header
-
5.4.0 (2019-06-07)
- Support disable HSTS
preload
- Add
display-capture
anddocument-domain
to Feature-Policy - Add
src
allowlist to Feature-Policy
- Support disable HSTS
-
5.3.3 (2019-02-28)
- Support Laravel 5.8
- Let Travis CI cover all supported PHP and Laravel versions
-
5.3.2 (2018-10-26)
- Support Feature-Policy sync-xhr directive
-
5.3.1 (2018-09-06)
- Support Laravel 5.7
-
5.3.0 (2018-08-04)
- Support Feature-Policy header
-
5.2.1 (2018-07-31)
- Update document
-
5.2.0 (2018-06-09)
- Support Clear-Site-Header header
- Support Server header
-
5.1.0 (2018-05-07)
- Support Expect-CT header
-
5.0.0 (2018-04-09)
- Support Content Security Policy Level 3.
- Change HPKP
hashes
field scheme. - Change CSP directive
hashes
field scheme. - Rename CSP directive
type
field toschemes
. - Remove CSP
https-transform-on-https-connections
directive. - Remove CSP
image-src
directivedata
field. - Do not use another packages for build csp and hpkp header.
-
4.2.0 (2018-03-11)
-
4.1.0 (2017-09-01)
- Support Laravel 5.5 (1f76e6a)
-
4.0.0 (2017-08-04)
- Transform paragonie/csp-builder dependency to bepsvpt/csp-builder (4ce4f14)
- Transform paragonie/hpkp-builder dependency to bepsvpt/hpkp-builder (4b69514) (da7091e)
-
3.1.0 (2017-07-18)
- Support Lumen framework (ddc61b1)
-
3.0.7 (2017-05-16)
- Change referrer-policy header default value (8367d29)
-
3.0.6 (2017-04-20)
-
3.0.5 (2017-04-09)
-
3.0.4 (2017-02-21)
- Fix Laravel 5.1 compatibility (#3)
-
3.0.3 (2017-01-29)
- Support Laravel 5.4 (a98840e)
-
3.0.2 (2017-01-23)
- Support disable specific header (9d995f7)
-
3.0.1 (2017-01-19)
- Remove incorrect dependents (64e0f93)
-
3.0.0 (2016-12-19)
- Support non Laravel project
- Remove env helper function from config file (d4379b0)
- Change namespace
- Change project name
- Support non Laravel project
-
2.2.0 (2016-10-03)
- Add X-Download-Options, X-Permitted-Cross-Domain-Policies, Referrer-Policy headers
-
2.1.1 (2016-08-24)
- Prevent testing pollute helper functions
-
2.1.0 (2016-08-24)
- Revert config file from json format to php
-
2.0.0 (2016-08-18)
- Transform config file to json format
- Remove force https config
- Increase minimum php version to 7.0
- 1.1.2 (2016-01-02)
- Code refactoring
- Debug mode will add csp header now