HISTORY.md

unreleased

• deps: cookie@0.4.1
  • Fix maxAge option to reject invalid values
• deps: http-errors@1.8.0
  • deps: setprototypeof@1.2.0

1.11.0 / 2020-01-18

• deps: cookie@0.4.0
  • Add SameSite=None support
• deps: http-errors@~1.7.3
  • deps: inherits@2.0.4

1.10.0 / 2019-04-22

• deps: csrf@3.1.0
  • Remove base64-url dependency
  • deps: tsscmp@1.0.6
  • deps: uid-safe@2.1.5
• deps: http-errors@~1.7.2
  • Make message property enumerable for HttpErrors
  • Set constructor name when possible
  • deps: depd@~1.1.2
  • deps: inherits@2.0.3
  • deps: setprototypeof@1.1.1
  • deps: statuses@'>= 1.5.0 < 2'
• perf: remove argument reassignment
• perf: use plain object for internal cookie options

1.9.0 / 2016-05-27

• Pass invalid csrf token error to next() instead of throwing
• Pass misconfigured error to next() instead of throwing
• Provide misconfigured error when using cookies without cookie-parser
• deps: cookie@0.3.1
  • Add sameSite option
  • Fix cookie Max-Age to never be a floating point number
  • Improve error message when expires is not a Date
  • Throw better error for invalid argument to parse
  • Throw on invalid values provided to serialize
  • perf: enable strict mode
  • perf: hoist regular expression
  • perf: use for loop in parse
  • perf: use string concatination for serialization
• deps: csrf@~3.0.3
  • Use tsscmp module for timing-safe token verification
  • deps: base64-url@1.2.2
  • deps: rndm@1.2.0
  • deps: uid-safe@2.1.1
• deps: http-errors@~1.5.0
  • Add HttpError export, for err instanceof createError.HttpError
  • Support new code 421 Misdirected Request
  • Use setprototypeof module to replace __proto__ setting
  • deps: inherits@2.0.1
  • deps: statuses@'>= 1.3.0 < 2'
  • perf: enable strict mode
• perf: enable strict mode
• perf: remove argument reassignment

1.8.3 / 2015-06-10

• deps: cookie@0.1.3
  • Slight optimizations

1.8.2 / 2015-05-09

• deps: csrf@~3.0.0
  • deps: uid-safe@~2.0.0

1.8.1 / 2015-05-03

• deps: csrf@~2.0.7
  • Fix compatibility with crypto.DEFAULT_ENCODING global changes

1.8.0 / 2015-04-07

• Add sessionKey option

1.7.0 / 2015-02-15

• Accept CSRF-Token and XSRF-Token request headers
• Default cookie.path to '/', if using cookies
• deps: cookie-signature@1.0.6
• deps: csrf@~2.0.6
  • deps: base64-url@1.2.1
  • deps: uid-safe@~1.1.0
• deps: http-errors@~1.3.1

• Construct errors using defined constructors from createError
• Fix error names that are not identifiers
• Set a meaningful name property on constructed errors

1.6.6 / 2015-01-31

• deps: csrf@~2.0.5
  • deps: base64-url@1.2.0
  • deps: uid-safe@~1.0.3

1.6.5 / 2015-01-08

• deps: csrf@~2.0.4
  • deps: uid-safe@~1.0.2

1.6.4 / 2014-12-30

• deps: csrf@~2.0.3
  • Slight speed improvement for verify
  • deps: base64-url@1.1.0
  • deps: rndm@~1.1.0
• deps: http-errors@~1.2.8

• Fix stack trace from exported function

1.6.3 / 2014-11-09

• deps: csrf@~2.0.2
  • deps: scmp@1.0.0
• deps: http-errors@~1.2.7

• Remove duplicate line

1.6.2 / 2014-10-14

• Fix cookie name when using cookie: true
• deps: http-errors@~1.2.6
  • Fix expose to be true for ClientError constructor
  • Use inherits instead of util
  • deps: statuses@1

1.6.1 / 2014-09-05

• deps: cookie-signature@1.0.5

1.6.0 / 2014-09-03

• Set code property on CSRF token errors

1.5.0 / 2014-08-24

• Add ignoreMethods option

1.4.1 / 2014-08-22

• Use csrf-tokens instead of csrf

1.4.0 / 2014-07-30

• Support changing req.session after csurf middleware
  • Calling res.csrfToken() after req.session.destroy() will now work

1.3.0 / 2014-07-03

• Add support for environments without res.cookie (connect@3)

1.2.2 / 2014-06-18

• deps: csrf-tokens@~2.0.0

1.2.1 / 2014-06-09

• Refactor to use csrf-tokens module

1.2.0 / 2014-05-13

• Add support for double-submit cookie

1.1.0 / 2014-04-06

• Add constant-time string compare