Bump bepsvpt/secure-headers from 6.3.0 to 7.0.0
Created by: dependabot[bot]
Bumps bepsvpt/secure-headers from 6.3.0 to 7.0.0.
Changelog
Sourced from bepsvpt/secure-headers's changelog.
- 7.0.0 (2020-10-14)
- BREAKING CHANGE
Feature-Policy
was replaced withPermissions-Policy
.6.x
Upgrade guide
Sourced from bepsvpt/secure-headers's upgrade guide.
6.2.0 to 7.0.0
feature-policy
was replaced withpermissions-policy
, make sure you addpermissions-policy
config to the config file, you can find it here.6.1.x to 6.2.0
- Add
use-permissions-policy-header
config key forfeature-policy
, you can find it here.6.0.x to 6.1.0
X-Power-By
header renamed toX-Powered-By
.5.x.x to 6.0.0
- Lumen user need to add SecureHeadersMiddleware manually.
- HSTS preload is disabled by default now, if your HSTS config does not contain
preload
key and you want to preserve previous behavior, addpreload
to HSTS section and set totrue
.- Update
csp
config structure from config file.5.4.0 to 5.5.0
- The following new headers are added, you can find it here and copy to your config file.
- X-Power-By
5.3.x to 5.4.0
- HSTS
preload
field can be disabled now, you can find it here and copy to your config file.display-capture
anddocument-domain
are added to Feature-Policy, you can find it here and here.5.2.x to 5.3.0
- The following new headers are added, you can find it here and copy to your config file.
- Feature-Policy
5.1.0 to 5.2.0
- The following new headers are added, you can find it here and here and copy to your config file.
- Clear-Site-Data
- Server
5.0.0 to 5.1.0
- The following new headers are added, you can find it here and copy to your config file.
- Expect-CT
4.x.x to 5.0.0
- HPKP
hashes
field only supports sha256 algorithm, change other algorithms to sha256.- CSP
https-transform-on-https-connections
was removed, dont forget to use the explicit protocol.- CSP
child-src
directive was removed, useframe-src
orworker-src
directive instead.- CSP
img-src
directivedata
field was removed, useschemes
field instead.
... (truncated)
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)