0.5.0

What's Changed

• Add SECURITY.md by @sascha-egerer in #44
• Bound BanManager registry lifetime with a TTL by @sascha-egerer in #45
• Re-throw RedisCache::increment errors instead of returning 0 by @sascha-egerer in #46
• RequestContext: optional key, recordHit() for allow2ban by @sascha-egerer in #47
• Extract a curated subset in the observability examples by @sascha-egerer in #48
• TrustedProxyResolver: keep rightmost N entries when truncating chains by @sascha-egerer in #49
• TrustedProxyResolver: resolve bracketed IPv6+port forms by @sascha-egerer in #50
• Add KeyExtractors::hashedHeader for sensitive headers by @sascha-egerer in #52
• Default TrustedProxyResolver to a single allowed header by @sascha-egerer in #51
• Confine @pmFromFile resolution to its context folder by @sascha-egerer in #53
• Serialize file-store writers via a sidecar lock by @sascha-egerer in #55
• Serialise ApacheHtaccessAdapter writers via a sidecar flock by @sascha-egerer in #54
• Document the REMOTE_ADDR default on file-blocklist and infra listener by @sascha-egerer in #56
• Switch fail2ban Quick-Start and example 02 to RequestContext by @sascha-egerer in #57
• Read only the last X-Forwarded-For / Forwarded header instance by @sascha-egerer in #58
• Canonicalise IPv6 in IpMatcher and TrustedProxyResolver by @sascha-egerer in #59
• Restrict header_equals in safelists and switch to hash_equals by @sascha-egerer in #60
• Add signed transport for PortableConfig by @sascha-egerer in #61
• Promote PortableConfig to a first-class transport by @sascha-egerer in #62
• Compose and layer multiple Configs into one effective Config by @sascha-egerer in #63
• Add Presets and materialize PortableConfig via Config::combine() by @sascha-egerer in #64
• Validate cache keys per PSR-16 in all store backends by @sascha-egerer in #65
• Cache the parsed pattern snapshot on the blocklist read hot path by @sascha-egerer in #69
• Cap OWASP CRS per-variable values with a fail-closed, configurable limit by @sascha-egerer in #70
• Extract a shared quote-aware scanner in SecRuleParser by @sascha-egerer in #71
• Enable PHP CS Fixer fully_qualified_strict_types by @sascha-egerer in #73
• Batch ban-key existence checks in the fail2ban and allow2ban evaluators by @sascha-egerer in #72
• Remove the unused PresetUpdateChecker seam by @sascha-egerer in #76
• Use null (not []) for SuspiciousHeaders default header set by @sascha-egerer in #74
• Require an explicit BanType on isBanned() by @sascha-egerer in #75
• Flatten all XFF / Forwarded header instances before the trusted-hop walk by @sascha-egerer in #77
• Share PSR-16 bulk cache operations with per-key failure reporting by @sascha-egerer in #78
• Name CacheKeyGenerator's key-truncation budget constants by @sascha-egerer in #79
• Remove the deprecated DeprecatedConfigMethods trait from Config by @sascha-egerer in #81
• Default rule key to the configured client IP when omitted by @sascha-egerer in #82
• Add dev-main branch-alias by @KamiYang in #80
• Document allow2ban in the setDiscriminatorNormalizer applies-to list by @sascha-egerer in #83
• Finalize the 0.5.0 CHANGELOG by @sascha-egerer in #84

New Contributors

• @KamiYang made their first contribution in #80

Full Changelog: 0.4.0...0.5.0