SecureHeaders v3.1.0 Release Notes
-
🆕 New feature: marking all cookies as secure. Added by @jmera in https://github.com/twitter/secureheaders/pull/231. In the future, we'll probably add the ability to whitelist individual cookies that should not be marked secure. PRs welcome.
🔨 Internal refactoring: In https://github.com/twitter/secureheaders/pull/232, we changed the way dynamic CSP is handled internally. The biggest benefit is that highly dynamic policies (which can happen with multiple
append/override
calls per request) are handled better:- Only the CSP header cache is busted when using a dynamic policy. All other headers are preserved and don't need to be generated. Dynamic X-Frame-Options changes modify the cache directly.
- Idempotency checks for policy modifications are deferred until the end of the request lifecycle and only happen once, instead of per
append/override
call. The idempotency check itself is fairly expensive itself. - CSP header string is produced at most once per request.