Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

11.0.0 Release Notes #2850

hueniverse opened this issue Oct 16, 2015 · 2 comments

11.0.0 Release Notes #2850

hueniverse opened this issue Oct 16, 2015 · 2 comments


Copy link

@hueniverse hueniverse commented Oct 16, 2015


hapi v11.0.0 is primarily a rewrite of the CORS implementation. The previous code was both confusing, an incorrect implementation of the protocol, and allowed for configurations that at best returned inconsistent headers and at worst allowed cross-origin activities that were expected to be forbidden. The change removes half the CORS options available and moves the implementation to be truly per-route without any connection-wide catch-all.

  • Upgrade time: low - no time to a couple of hours for most users
  • Complexity: low - a bit of search and replace and removal of unsupported configs
  • Risk: low - low risk of side effects and few changes to keep track of overall
  • Dependencies: medium - removed the server.after() method


The v11.0.0 major release is sponsored by Sideway.

Breaking Changes

  • Removed the CORS configuration options: methods, additionalMethods, matchOrigin, isOriginExposed, and override.
  • Added the 204 HTTP status code to the default list of cached responses.
  • The qs module no longer parses dot notation names into sub objects by default.
  • Removed server.after().
  • Removed id from the 'received' event data (was already available as a generic event property).

New Features

  • Allow response validation of non-object responses (string, number, etc).
  • New option to override empty 200 HTTP status responses with 204.

Bug fixes

  • Fixes multiple issues with CORS, including a few security related.

Updated dependencies

  • qs from v4.0.0 to v5.2.0

Migration Checklist


You don't have to change anything if:

  • not setting the cors route option
  • using it with the defaults by setting the value to true
  • not using the cors options: methods, additionalMethods, matchOrigin, isOriginExposed, and override

The main changes are:

  • CORS preflight headers are now set only on preflight requests and not on resource requests. This means that the methods and additionalMethods options are no longer needed because the preflight response will return the requested method as specified by the protocol. This will ensure other methods which may not allow cross-origin access to be separately configured.
  • The override flag is no longer needed as the only header which you may manually set at the handler level is Access-Control-Expose-Headers which will be appended to by default. Setting any other CORS headers manually will result in a conflict with the preflight response.
  • The Access-Control-Allow-Origin header is now always set to the incoming Origin header value. If the incoming value does not match the allowed origins, no CORS headers are set.


  • Make sure that if you are using the internal CORS feature, you are not setting ANY CORS headers yourself other than optionally Access-Control-Expose-Headers. If you need to set any other header manually, do not use the CORS feature! You will end up with a broken and potentially insecure implementation.
  • Remove the options no longer supported. There is no need to replace them.


  • If you rely on the previous qs query parsing behavior of breaking dot-notation into segments, you must set the allowDots option to true. This is available in route config payload.qs and connection config query.qs.
  • Replace server.after(method, deps) with server.ext('onPreStart', method, { after: deps }).
  • If you listen to the request 'received' event, use the event.request value instead of the removed value.
Copy link

@NicolasRitouet NicolasRitouet commented Oct 19, 2015

isn't Replace server.after(method, deps) with server.ext('onPreStart', { after: deps }). supposed to be
Replace server.after(method, deps) with server.ext('onPreStart', method, { after: deps }).?

Copy link
Contributor Author

@hueniverse hueniverse commented Oct 19, 2015

@NicolasRitouet fixed. thanks.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants