diff --git a/Gemfile.lock b/Gemfile.lock
index c8f38c153..33711798d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    clearance (1.15.1)
+    clearance (1.16.0)
       bcrypt
       email_validator (~> 1.4)
       rails (>= 3.1)
@@ -53,9 +53,9 @@ GEM
       bundler
       rake
       thor (>= 0.14.0)
-    arel (6.0.3)
+    arel (6.0.4)
     bcrypt (3.1.11)
-    builder (3.2.2)
+    builder (3.2.3)
     capybara (2.7.1)
       addressable
       mime-types (>= 1.16)
@@ -64,7 +64,7 @@ GEM
       rack-test (>= 0.5.4)
       xpath (~> 2.0)
     coderay (1.1.1)
-    concurrent-ruby (1.0.2)
+    concurrent-ruby (1.0.4)
     database_cleaner (1.5.3)
     diff-lcs (1.2.5)
     email_validator (1.6.0)
@@ -78,7 +78,7 @@ GEM
     globalid (0.3.7)
       activesupport (>= 4.1.0)
     i18n (0.7.0)
-    json (1.8.3)
+    json (1.8.6)
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
     mail (2.6.4)
@@ -88,14 +88,14 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2016.0521)
     mini_portile2 (2.1.0)
-    minitest (5.9.1)
+    minitest (5.10.1)
     nokogiri (1.6.8.1)
       mini_portile2 (~> 2.1.0)
     pry (0.10.3)
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
-    rack (1.6.4)
+    rack (1.6.5)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.2.7.1)
@@ -111,9 +111,9 @@ GEM
       sprockets-rails
     rails-deprecated_sanitizer (1.0.3)
       activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.7)
+    rails-dom-testing (1.0.8)
       activesupport (>= 4.2.0.beta, < 5.0)
-      nokogiri (~> 1.6.0)
+      nokogiri (~> 1.6)
       rails-deprecated_sanitizer (>= 1.0.1)
     rails-html-sanitizer (1.0.3)
       loofah (~> 2.0)
@@ -122,7 +122,7 @@ GEM
       activesupport (= 4.2.7.1)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (11.3.0)
+    rake (12.0.0)
     rspec-core (3.4.4)
       rspec-support (~> 3.4.0)
     rspec-expectations (3.4.0)
@@ -143,7 +143,7 @@ GEM
     shoulda-matchers (2.8.0)
       activesupport (>= 3.0.0)
     slop (3.6.0)
-    sprockets (3.7.0)
+    sprockets (3.7.1)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.0)
@@ -151,7 +151,7 @@ GEM
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.11)
-    thor (0.19.1)
+    thor (0.19.4)
     thread_safe (0.3.5)
     timecop (0.8.1)
     tzinfo (1.2.2)
diff --git a/NEWS.md b/NEWS.md
index 215aa677e..46ed5011d 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -3,6 +3,19 @@
 The noteworthy changes for each Clearance version are included here. For a
 complete changelog, see the git history for each version via the version links.
 
+## [1.16.0] - January 16, 2017
+
+### Security
+- Clearance users can now help prevent [session fixation attacks] by setting
+  `Clearance.configuration.rotate_csrf_on_sign_in` to `true`. This will cause
+  the user's CSRF token to be rotated on sign in and is recommended for all
+  Clearance applications. This setting will default to `true` in Clearance 2.0.
+  Clearance will emit a warning on each sign in until this configuration setting
+  is explicitly set to `true` or `false`.
+
+[session fixation attacks]: https://www.owasp.org/index.php/Session_fixation
+[1.16.0]: https://github.com/thoughtbot/clearance/compare/v1.15.1...v1.16.0
+
 ## [1.15.1] - October 6, 2016
 
 ### Fixed
diff --git a/lib/clearance/version.rb b/lib/clearance/version.rb
index fde78e110..814d573ca 100644
--- a/lib/clearance/version.rb
+++ b/lib/clearance/version.rb
@@ -1,3 +1,3 @@
 module Clearance
-  VERSION = "1.15.1".freeze
+  VERSION = "1.16.0".freeze
 end