Releases: nelmio/NelmioSecurityBundle
Releases · nelmio/NelmioSecurityBundle
2.0.1
- Fix CookieSessionHandler::open that should return true unless there's an error
2.0.0
- Add support for Content-Security-Policy Level 2 directives
- Add support for Content-Security-Policy Level 2 signatures (nonce and message digest)
- Add browser adaptive directives - do not send directives not supported by browser - via browser_adaptive parameter
- Allow report-uri to be defined as a scalar
- Deprecate encrypted cookie support due to high coupling to the deprecated mcrypt extension
- Drop backward-compatibility with first deprecated CSP configuration
1.10.0
1.9.1
1.9.0
- Add Symfony 3 compatibility
- external_redirects definition can now contains full URL
- Allow dynamic CSP configuration
- BugFix: Fix clickjacking URL normalization when containing dash and no underscore
1.8.0
- Added HTTP response's content-type restriction for Clickjacking and CSP headers.
- Added Microsoft's XSS-Protection support
- Disabled Clickjacking, CSP and NoSniff headers in the context of HTTP redirects
- Fixed bug in handling of the external_redirects.log being disabled
1.7.0
- Added a
Nelmio\SecurityBundle\ExternalRedirect\TargetValidatorinterface to implement custom rules for the external_redirects feature. You can override thenelmio_security.external_redirect.target_validatorservice to change the default. - Added a
hostskey in the CSP configuration to restrict CSP-checks to some host names - Fixed a bug in
flexible_sslwhere the auth cookie was updated with a wrong expiration time the second time the visitor comes to the site. - Removed X-Webkit-CSP header as none of the webkits using it are still current.