All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
- Removed support for header-based logger feature
- Support for url decode reserved characters feature
- Added
failOnEmptyBody
flag forcallServer
to specify weather or not a request should fail if it has no body. - Updated the configuration of PX first-party requests to include a connection timeout
- Updated the captcha template to handle empty captcha responses
- Support for header-based logger feature
- Added
risk_start_time
andenforcer_start_time
fields to enforcer activities.
- Changed the structure of the headers field on async activities to array
- Custom cookie header is processed in addition to (not instead of) default cookie header
- Custom cookie header default value has been set to x-px-cookies
- Added PXHD from risk response to the async activities
- Bug fixed in pxCookieValidator which fails on invalid variable name.
- Support for handling graphQL requests with empty query field
- Support custom is sensitive request via function
- Support for CORS preflight requests and CORS headers in block responses
- Support User Identifiers: CTS and JWT.
- support configurable graphql paths
- support multiple queries (Apollo)
- full scanning the graphql query to parse the operation name.
- ignore whitespaces at start of operation name
- Support for
px_modify_context
, a custom function that allows more flexibility for changes to the request context
- Support for
px_custom_first_party_path
configuration
- Updated dependencies
- pxhd cookie is now set with SameSite=Lax
- GraphQL - parsed operation name issue
- Update block page to support error handling for mobile.
- Credentials intelligence v2 hashing protocol added and set as default
- URLs with query params did not render properly on new block page
- Bug fix in new block page
- New block page implementation
- Send PX cookie over risk_api on sensitive routes
- Support for dynamic cookie signing with IP (requires PXHD)
- Support for credentials intelligence protocols
v1
andmultistep_sso
- Support for login successful reporting methods
header
,status
, andcustom
- Support for automatic sending of
additional_s2s
activity - Support for manual sending of
additional_s2s
activity via header or API call - Support for sending raw username on
additional_s2s
activity - Support for login credentials extraction via custom callback
- New
request_id
field to all enforcer activities
- Login credentials extraction handles body encoding based on
Content-Type
request header - Successful login credentials extraction automatically triggers risk_api call without needing to enable sensitive routes
- Enforced routes work in monitor mode
- Bypass monitor header works with configured monitored routes
- Code Defender first party XHR and first party Sensor support
- server_info_origin to all Enforcer activities, indicates which CDN POP/Datacenter the request hit
- sensitive route based on GraphQL payload
- Enforced route bugfix
- Login credentials extraction sends hashed credentials (
creds
) instead ofpass
- Login credentials extraction normalizes username field to lowercase prior to hashing
- Login credentials extraction fields align with spec (all
snake_case
, notcamelCase
) - Login credentials extraction handles body encoding based on
Content-Type
request header
- Login credentials extraction paths are added as sensitive routes automatically
- Added
raw_username
field with default valuenull
toadditional_s2s
activity
- Additional activity header feature support
- Nonce support in CSP header
- Compromised credentials header support
- Configuration changes to match Enforcer Spec v1.0.0
- Bug fix: Cookie decryption fails on mobile sdk error
- CSP Support.
- Wrong reporting for bypass monitor header.
- Data Enrichment parsing.
- Support for regular expressions in filter by user agent
- Support for login credentials extraction
- Support for
customCookieHeader
- New config to support custom logger
telemetry_handler.js
to use the logger in config rather than creating its ownPxLogger
to directly consume user-definedparams
to remove circular dependecy betweenPxConfig
andPxLogger
- String interpolation syntax errors in
telemetry_handler.js
- Bug where
debug
logs inPxConfig
never gets called - Issue where
debug
does not checkmsg
type the same wayerror
does
- Support for
ACTIVITIES_TIMEOUT_MS
.
- New config to support
Secure
flag for pxhd cookie
- Support for external activities
- Custom parameters for async activities.
originalRequest
support for ExpressJS.
- Support for filtering traffic by http method
- Support for regex in enforced/whitelisted/monitored specific routes.
- Support for filtering traffic by IPs/CIDRs.
- Support for filtering traffic by user agents.
- cssRef, jsRef string values
- Send HTTP method on async activities
- Support for specific enforced routes and specific monitored routes
- Upgraded dependency
- Upgraded dependency
- Upgraded ESLint version
- Support for custom templates
- Request object is now passed to
enrichCustomParams
function
- PXHD cookie will not echo back from client
- fixed timeout error, lint fixes
- removed node 11 from tests because it turned EOL
- pxhd cookie not been sent in block activity
- Do not echo back pxhd cookie coming from client
- set pxhd expiration
- Send telemetry by command
- pxConfig setting for proxy
- Risk API timeout check
- Add advanced blocking response configuration
- Support for multiple instances of PxEnforcer (for multi px-app in same web app)
- Major parts of the code to inject an instance of PxLogger and PX config.
- Changed PxClient.submitActivities() signature to receive a config object.
- Support for testing blocking flow in monitor mode
- VID validity check
- Full refactor of proxy support
- Lowercasing of json response
- Various PXHD related issues
- Proxy_url parameter in first-party captcha.js call
- Added PXHD handling
- Added async custom params
- Added data enrichment cookie handling
- Added Proxy support
- px_cookie_hmac was missing from risk api calls
- First party captcha fallback
- Configurable testing mode
- New call reason 'no_cookie_key'
- Phin callback related issue
- Better handling of activities when customRequestHandler is used
- Better error messages for requests
- Various fixes regarding page_requested and pass_reason
- Refactored request module to use Phin.js
- Better handling for custom request handler
- Error handling for non-response requests
- Better error handling
- Advanced Blocking Response
- Simulated_block property on Risk API call
- Enrich Custom Parameters support
- Captcha v2 support
- Ratelimit support
- Empty ipHeaders property handling
- Various first party fixes
- Sending originial cookie on decryption failed
- Added funCaptcha support for mobile
- First party mode enabled by default
- Improved first party mode
- Update templates to support smart snippet
- FunCaptcha compatibility for mobile
- Various first party fixes
- Stability related fixes
- Changed default value for client url
- Changed default value for first party
- First party support
- Handle original token for mobile