v2.14.0

What's Changed

• chore(ci): tweak codecov configuration by @mccutchen in #168
• add appProcotol to the k8s service for port name 'http' by @bcollard in #169
• fix: mitigate allowed redirect domain bypass by @mccutchen in #174

🔐 Security fix 🔐

This release fixes a bug that allowed clients to bypass the -allowed-redirect-domains/ALLOWED_REDIRECT_DOMAINS configuration used by the /redirect-to endpoint by passing an absolute URL without a scheme (e.g. /redirect-to?url=//evil.com).

See #173 and #174 for details about the issue and the fix, and see the Production Considerations section of the README for more info on why that configuration is important.

New Contributors

• @bcollard made their first contribution in #169

Full Changelog: v2.13.4...v2.14.0

v2.13.4

What's Changed

• feat: support Fastly and Akamai headers for client IP addr by @haccht in #167

New Contributors

• @haccht made their first contribution in #167

Full Changelog: v2.13.3...v2.13.4

v2.13.3

What's Changed

• chore(ci): simplify CI config by @mccutchen in #164
• chore(ci): fix codecov configuration by @mccutchen in #165
• feat: add a kustomize base to the repository by @james-callahan in #144
• feat: allow POST, PUT, DELETE, PATCH methods on /basic-auth endpoint by @mgeuer in #166

New Contributors

• @james-callahan made their first contribution in #144
• @mgeuer made their first contribution in #166

Full Changelog: v2.13.2...v2.13.3

v2.13.2

What's Changed

• feat: /status endpoint supports weighted choice from multiple status codes by @mccutchen in #162

Full Changelog: v2.13.1...v2.13.2

v2.13.1

What's Changed

• fix: websocket conns do not require Connection: upgrade header by @mccutchen in #161

Full Changelog: v2.13.0...v2.13.1

v2.13.0

✨ Highlights ✨

• New /websocket/echo endpoint that implements a basic, conformant WebSocket echo server, useful for testing more advanced HTTP proxy use cases or WebSocket client implementations
• New /sse endpoint that implements a simple Server-Sent Events stream, useful for testing more advanced HTTP proxy use cases
• Support for serving go-httpbin under a path prefix (thanks @waschik!)

What's Changed

• chore: update linting configuration by @mccutchen in #154
• feat: add /websocket/echo endpoint by @mccutchen in #155
• fix: ensure websocket conns respect max duration by @mccutchen in #156
• fix: silence annoying network permission popups on macos by @mccutchen in #157
• chore: minor refactor of base64 handling by @mccutchen in #158
• feat: support serving under a path prefix by @waschik in #120
• docs: update EXCLUDE_HEADERS documentation by @mccutchen in #159
• feat: add /sse endpoint to test Server-Sent Events by @mccutchen in #160

New Contributors

• @waschik made their first contribution in #120

Full Changelog: v2.12.0...v2.13.0

v2.12.0

What's Changed

• fix: /base64 endpoint decodes both URL-safe and standard b64 encodings by @mccutchen in #153

Full Changelog: v2.11.1...v2.12.0

v2.11.1

What's Changed

• chore: upgrade to Go 1.21 by @harryzcy in #143
• feat: special case CloudFlare client IP addrs by @vanodevium in #148

New Contributors

• @harryzcy made their first contribution in #143
• @vanodevium made their first contribution in #148

Full Changelog: v2.11.0...v2.11.1

v2.11.0

What's Changed

• Add tests for correct handling of Expect: 100-continue by @mccutchen in #138
• Allow filtering incoming request headers using -exclude-headers/EXCLUDE_HEADERS by @bytemain in #139

New Contributors

• @bytemain made their first contribution in #139

Full Changelog: v2.10.0...v2.11.0

v2.10.0

What's Changed

• Improve /drip semantics by @mccutchen in #132
• Standardize common content types by @mccutchen in #134
• Improve and standardize error handling by @mccutchen in #135
• Consistently parse and validate user-provided status codes by @mccutchen in #137
• Major test suite overhaul in #131 and #133

⚠️ Response format changes ⚠️

• The behavior of the /drip endpoint has been adjusted slightly. In particular, the endpoint now waits until after the initial delay to start the response (i.e. write the status code), rather than starting the response immediately and then waiting for the initial delay to write the body.
• The standard Content-Type used for JSON responses has been changed from the non-standard application/json; encoding=utf-8 to the standard application/json; charset=utf-8
• Error responses generated by go-httpbin itself (e.g. due to invalid input) are returned as structured JSON:

  {
    "status_code": 400,
    "error": "Bad Request",
    "detail": "invalid status code: 1024 not in range [100, 599]"
  }

Full Changelog: v2.9.2...v2.10.0