Skip to content

v1.0.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 02 Nov 07:53
· 14 commits to main since this release
v1.0.0
7b3f1dd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Major Changes

  • d95f3dd: Add native middleware pattern with per-request nonce generation for TanStack Start applications. This is a major update that introduces a new recommended API while maintaining backward compatibility.

    New Features:

    • createCspMiddleware() - Middleware factory for TanStack Start with per-request nonce generation
    • createNonceGetter() - Isomorphic nonce retrieval (works on server and client)
    • generateNonce() - Cryptographically secure random nonce generator
    • buildCspHeader() - Low-level CSP header building utility
    • CSP Level 3 support with automatic granular directive copying (-elem, -attr)
    • Strict nonce-based CSP for scripts (no 'unsafe-inline' in production)
    • Integration with TanStack router's native ssr.nonce option

    Breaking Changes:

    • This release is a major version because it introduces a new peer dependency: @tanstack/start-storage-context >= 1.0.0
    • The recommended API has changed from handler wrapper (createSecureHandler) to middleware pattern (createCspMiddleware)
    • Projects should migrate to the new API for better security (per-request nonces vs static headers)

    Migration:

    The old createSecureHandler API is still available and fully functional, but is now deprecated. See README for migration guide from v0.1 to v0.2.

    Security Improvements:

    • Per-request nonce generation (previously static at startup)
    • No 'unsafe-inline' fallback for scripts in production
    • Support for 'strict-dynamic' CSP directive
    • Automatic nonce application to all TanStack framework scripts
Assets 2
Loading