Skip to content

Releases: GetPageSpeed/ngx_security_headers

v0.2.0: Cross-Origin Security Headers

03 Feb 10:58
@dvershinin dvershinin
0.2.0
62d2685

Choose a tag to compare

View all tags
v0.2.0: Cross-Origin Security Headers Latest
Latest

What's New

This release adds support for three Cross-Origin HTTP security headers as requested in #17:

New Directives

Directive Values Default
security_headers_corp same-site, same-origin, cross-origin, omit same-site
security_headers_coop same-origin, same-origin-allow-popups, unsafe-none, omit omit
security_headers_coep require-corp, credentialless, unsafe-none, omit omit

Design Decisions

  • CORP defaults to same-site - Safe opt-out default that only affects how YOUR resources are embedded elsewhere
  • COOP/COEP default to omit - Opt-in because they can break popup communication and third-party resources
  • COEP includes credentialless - Provides a middle ground for cross-origin isolation

Cross-Origin Isolation

To enable full cross-origin isolation (required for SharedArrayBuffer):

security_headers on;
security_headers_corp same-origin;
security_headers_coop same-origin;
security_headers_coep require-corp;

⚠️ Warning: Full isolation will break loading any cross-origin resources without proper CORS headers.

References

Fixes #17

Assets 2
Loading

v0.1.2

26 Apr 11:51
@dvershinin dvershinin
0.1.2
1a257f8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.1.2

What's Changed

  • More headers to hide, more tests, if replaced by switch by @novashdima in #23

New Contributors

Full Changelog: 0.1.1...0.1.2

Contributors

novashdima
Loading

v0.1.1

09 Nov 09:05
@dvershinin dvershinin
0.1.1
390dc7c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.1.1

Fixed issue with scheme extraction (#22), thanks to @kosmas-valianos for the contribution.

Contributors

kosmas-valianos
Loading

v0.1.0

05 Sep 17:47
@dvershinin dvershinin
0.1.0
f9b2c96

Choose a tag to compare

View all tags
v0.1.0

Fixed

  • HSTS set to 1 year instead of 2 years by default (#18)
  • New default X-XSS-Protection: 0, see #19
Loading

v0.0.11

18 Mar 07:38
@dvershinin dvershinin
0.0.11
f450109

Choose a tag to compare

View all tags
v0.0.11

Fixed

  • Sending HSTS header no longer requires building with OpenSSL #12
  • Fixes HSTS preload was not added by default #15
Loading

v0.0.10

13 Mar 18:04
@dvershinin dvershinin
0.0.10
af3d4e7

Choose a tag to compare

View all tags
v0.0.10
  • Ability to opt-out of added preload addition for HSTS, using security_headers_hsts_preload off;.
  • Remove X-Application-Version header
  • For adding HSTS, check URL protocol instead of connection protocol to be 'https://' #12
Loading

v0.0.9

29 Feb 00:22
@dvershinin dvershinin
0.0.9
99b270d

Choose a tag to compare

View all tags
v0.0.9
  • Hide more server tokens
  • Optimization (e.g. don't send X-Frame-Options for non-HTML)
Loading

v0.0.8

05 Dec 20:03
@dvershinin dvershinin
0.0.8
85c6018

Choose a tag to compare

View all tags
v0.0.8

Added security_headers_referrer_policy directive

Loading

v0.0.7

01 Sep 18:53
@dvershinin dvershinin
0.0.7
48a8a7a

Choose a tag to compare

View all tags
v0.0.7
  • Reliable header replacement
  • Added HSTS
Loading

v0.0.4

23 Aug 23:01
@dvershinin dvershinin
0.0.4
de3a71d

Choose a tag to compare

View all tags
v0.0.4

Overwrites existing security headers, instead of duplicating them

Loading