The OWASP NodeGoat project provides an environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
helmetjs/helmet (helmet)
### [`v3.21.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3210---2019-09-04)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.20.1...v3.21.0)
##### Added
- Updated `x-xss-protection` to v1.3.0
- Added `mode: null` to disable `mode=block`
##### Changed
- Updated `helmet-csp` to v2.9.1
- Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#88](https://redirect.github.com/helmetjs/csp/pull/88)
### [`v3.20.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3201---2019-08-28)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.20.0...v3.20.1)
##### Changed
- Updated `helmet-csp` to v2.9.0
### [`v3.20.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3200---2019-07-24)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.19.0...v3.20.0)
##### Changed
- Updated `helmet-csp` to v2.8.0
### [`v3.19.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3190---2019-07-17)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.18.0...v3.19.0)
##### Changed
- Updated `dns-prefetch-control` to v0.2.0
- Updated `dont-sniff-mimetype` to v1.1.0
- Updated `helmet-crossdomain` to v0.4.0
- Updated `hide-powered-by` to v1.1.0
- Updated `x-xss-protection` to v1.2.0
### [`v3.18.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3180---2019-05-05)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.17.0...v3.18.0)
##### Added
- `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr`
##### Changed
- Updated `expect-ct` to v0.2.0
- Updated `feature-policy` to v0.3.0
- Updated `frameguard` to v3.1.0
- Updated `nocache` to v2.1.0
### [`v3.17.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3170---2019-05-03)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.16.0...v3.17.0)
##### Added
- `referrerPolicy` now supports multiple values
##### Changed
- Updated `referrerPolicy` to v1.2.0
### [`v3.16.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3160---2019-03-10)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.15.1...v3.16.0)
##### Added
- Add email to `bugs` field in `package.json`
##### Changed
- Updated `hsts` to v2.2.0
- Updated `ienoopen` to v1.1.0
- Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format
- Dropped support for Node <4. See [the commit](https://redirect.github.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information
- Updated Adam Baldwin's contact information
##### Deprecated
- `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#22](https://redirect.github.com/helmetjs/hsts/issues/22) for more
- The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#21](https://redirect.github.com/helmetjs/hsts/issues/21) for more
### [`v3.15.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3151---2019-02-10)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.15.0...v3.15.1)
##### Deprecated
- The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#180](https://redirect.github.com/helmetjs/helmet/issues/180) for more.
### [`v3.15.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3150---2018-11-07)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.14.0...v3.15.0)
##### Added
- `helmet.featurePolicy` now supports four new features
### [`v3.14.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3140---2018-10-09)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.13.0...v3.14.0)
##### Added
- `helmet.featurePolicy` middleware
### [`v3.13.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3130---2018-07-22)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.12.2...v3.13.0)
##### Added
- `helmet.permittedCrossDomainPolicies` middleware
### [`v3.12.2`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3122---2018-07-20)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.12.1...v3.12.2)
##### Fixed
- Removed `lodash.reduce` dependency from `csp`
### [`v3.12.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3121---2018-05-16)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.12.0...v3.12.1)
##### Fixed
- `expectCt` should use comma instead of semicolon as delimiter
### [`v3.12.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3120---2018-03-02)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.11.0...v3.12.0)
##### Added
- `xssFilter` now supports `reportUri` option
### [`v3.11.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3110---2018-02-09)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.10.0...v3.11.0)
##### Added
- Main Helmet middleware is now named to help with debugging
### [`v3.10.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3100---2018-01-23)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.9.0...v3.10.0)
##### Added
- `csp` now supports `prefix-src` directive
##### Fixed
- `csp` no longer loads JSON files internally, helping some module bundlers
- `false` should be able to disable a CSP directive
### [`v3.9.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#390---2017-10-13)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.8.2...v3.9.0)
##### Added
- `csp` now supports `strict-dynamic` value
- `csp` now supports `require-sri-for` directive
##### Changed
- Removed `connect` dependency
### [`v3.8.2`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#382---2017-09-27)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.8.1...v3.8.2)
##### Changed
- Updated `connect` dependency to latest
### [`v3.8.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#381---2017-07-28)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.8.0...v3.8.1)
##### Fixed
- `csp` does not automatically set `report-to` when setting `report-uri`
### [`v3.8.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#380---2017-07-21)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.7.0...v3.8.0)
##### Changed
- `hsts` no longer cares whether it's HTTPS and always sets the header
### [`v3.7.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#370---2017-07-21)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.6.1...v3.7.0)
##### Added
- `csp` now supports `report-to` directive
##### Changed
- Throw an error when used incorrectly
- Add a few documentation files to `npmignore`
### [`v3.6.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#361---2017-05-21)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.6.0...v3.6.1)
##### Changed
- Bump `connect` version
### [`v3.6.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#360---2017-05-04)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.5.0...v3.6.0)
##### Added
- `expectCt` middleware for setting the `Expect-CT` header
### [`v3.5.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#350---2017-03-06)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.4.1...v3.5.0)
##### Added
- `csp` now supports the `worker-src` directive
### [`v3.4.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#341---2017-02-24)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.4.0...v3.4.1)
##### Changed
- Bump `connect` version
### [`v3.4.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#340---2017-01-13)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.3.0...v3.4.0)
##### Added
- `csp` now supports more `sandbox` directives
### [`v3.3.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#330---2016-12-31)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.2.0...v3.3.0)
##### Added
- `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives
##### Changed
- Bump `connect` version
### [`v3.2.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#320---2016-12-22)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.1.0...v3.2.0)
##### Added
- `csp` now allows `manifest-src` directive
### [`v3.1.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#310---2016-11-03)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.0.0...v3.1.0)
##### Added
- `csp` now allows `frame-src` directive
### [`v3.0.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#300---2016-10-28)
[Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v2.3.0...v3.0.0)
##### Changed
- `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`.
- Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything.
- `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it.
- In CSP, `reportOnly: true` no longer requires a `report-uri` to be set.
- `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day)
- `hsts`'s `maxAge` parameter is seconds, not milliseconds
- `hsts` includes subdomains by default
- `domain` parameter in `frameguard` cannot be empty
##### Removed
- `noEtag` option no longer present in `noCache`
- iOS Chrome `connect-src` workaround in CSP module
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
^2.0.0
->^3.0.0
By merging this PR, the issue #62 will be automatically resolved and closed:
Release Notes
helmetjs/helmet (helmet)
### [`v3.21.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3210---2019-09-04) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.20.1...v3.21.0) ##### Added - Updated `x-xss-protection` to v1.3.0 - Added `mode: null` to disable `mode=block` ##### Changed - Updated `helmet-csp` to v2.9.1 - Updated `bowser` subdependency from 2.5.3 to 2.5.4. See [helmet-csp#88](https://redirect.github.com/helmetjs/csp/pull/88) ### [`v3.20.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3201---2019-08-28) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.20.0...v3.20.1) ##### Changed - Updated `helmet-csp` to v2.9.0 ### [`v3.20.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3200---2019-07-24) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.19.0...v3.20.0) ##### Changed - Updated `helmet-csp` to v2.8.0 ### [`v3.19.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3190---2019-07-17) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.18.0...v3.19.0) ##### Changed - Updated `dns-prefetch-control` to v0.2.0 - Updated `dont-sniff-mimetype` to v1.1.0 - Updated `helmet-crossdomain` to v0.4.0 - Updated `hide-powered-by` to v1.1.0 - Updated `x-xss-protection` to v1.2.0 ### [`v3.18.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3180---2019-05-05) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.17.0...v3.18.0) ##### Added - `featurePolicy` has 19 new features: `ambientLightSensor`, `documentDomain`, `documentWrite`, `encryptedMedia`, `fontDisplayLateSwap`, `layoutAnimations`, `legacyImageFormats`, `loadingFrameDefaultEager`, `oversizedImages`, `pictureInPicture`, `serial`, `syncScript`, `unoptimizedImages`, `unoptimizedLosslessImages`, `unoptimizedLossyImages`, `unsizedMedia`, `verticalScroll`, `wakeLock`, and `xr` ##### Changed - Updated `expect-ct` to v0.2.0 - Updated `feature-policy` to v0.3.0 - Updated `frameguard` to v3.1.0 - Updated `nocache` to v2.1.0 ### [`v3.17.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3170---2019-05-03) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.16.0...v3.17.0) ##### Added - `referrerPolicy` now supports multiple values ##### Changed - Updated `referrerPolicy` to v1.2.0 ### [`v3.16.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3160---2019-03-10) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.15.1...v3.16.0) ##### Added - Add email to `bugs` field in `package.json` ##### Changed - Updated `hsts` to v2.2.0 - Updated `ienoopen` to v1.1.0 - Changelog is now in the [Keep A Changelog](https://keepachangelog.com/) format - Dropped support for Node <4. See [the commit](https://redirect.github.com/helmetjs/helmet/commit/a49cec3ca58cce484d2d05e1f908549caa92ed03) for more information - Updated Adam Baldwin's contact information ##### Deprecated - `helmet.hsts`'s `setIf` option has been deprecated and will be removed in `hsts@3`. See [helmetjs/hsts#22](https://redirect.github.com/helmetjs/hsts/issues/22) for more - The `includeSubdomains` option (with a lowercase `d`) has been deprecated and will be removed in `hsts@3`. Use the uppercase-D `includeSubDomains` option instead. See [helmetjs/hsts#21](https://redirect.github.com/helmetjs/hsts/issues/21) for more ### [`v3.15.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3151---2019-02-10) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.15.0...v3.15.1) ##### Deprecated - The `hpkp` middleware has been deprecated. If you still need to use this module, install the standalone `hpkp` module from npm. See [#180](https://redirect.github.com/helmetjs/helmet/issues/180) for more. ### [`v3.15.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3150---2018-11-07) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.14.0...v3.15.0) ##### Added - `helmet.featurePolicy` now supports four new features ### [`v3.14.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3140---2018-10-09) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.13.0...v3.14.0) ##### Added - `helmet.featurePolicy` middleware ### [`v3.13.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3130---2018-07-22) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.12.2...v3.13.0) ##### Added - `helmet.permittedCrossDomainPolicies` middleware ### [`v3.12.2`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3122---2018-07-20) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.12.1...v3.12.2) ##### Fixed - Removed `lodash.reduce` dependency from `csp` ### [`v3.12.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3121---2018-05-16) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.12.0...v3.12.1) ##### Fixed - `expectCt` should use comma instead of semicolon as delimiter ### [`v3.12.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3120---2018-03-02) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.11.0...v3.12.0) ##### Added - `xssFilter` now supports `reportUri` option ### [`v3.11.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3110---2018-02-09) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.10.0...v3.11.0) ##### Added - Main Helmet middleware is now named to help with debugging ### [`v3.10.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#3100---2018-01-23) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.9.0...v3.10.0) ##### Added - `csp` now supports `prefix-src` directive ##### Fixed - `csp` no longer loads JSON files internally, helping some module bundlers - `false` should be able to disable a CSP directive ### [`v3.9.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#390---2017-10-13) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.8.2...v3.9.0) ##### Added - `csp` now supports `strict-dynamic` value - `csp` now supports `require-sri-for` directive ##### Changed - Removed `connect` dependency ### [`v3.8.2`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#382---2017-09-27) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.8.1...v3.8.2) ##### Changed - Updated `connect` dependency to latest ### [`v3.8.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#381---2017-07-28) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.8.0...v3.8.1) ##### Fixed - `csp` does not automatically set `report-to` when setting `report-uri` ### [`v3.8.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#380---2017-07-21) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.7.0...v3.8.0) ##### Changed - `hsts` no longer cares whether it's HTTPS and always sets the header ### [`v3.7.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#370---2017-07-21) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.6.1...v3.7.0) ##### Added - `csp` now supports `report-to` directive ##### Changed - Throw an error when used incorrectly - Add a few documentation files to `npmignore` ### [`v3.6.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#361---2017-05-21) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.6.0...v3.6.1) ##### Changed - Bump `connect` version ### [`v3.6.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#360---2017-05-04) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.5.0...v3.6.0) ##### Added - `expectCt` middleware for setting the `Expect-CT` header ### [`v3.5.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#350---2017-03-06) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.4.1...v3.5.0) ##### Added - `csp` now supports the `worker-src` directive ### [`v3.4.1`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#341---2017-02-24) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.4.0...v3.4.1) ##### Changed - Bump `connect` version ### [`v3.4.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#340---2017-01-13) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.3.0...v3.4.0) ##### Added - `csp` now supports more `sandbox` directives ### [`v3.3.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#330---2016-12-31) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.2.0...v3.3.0) ##### Added - `referrerPolicy` allows `strict-origin` and `strict-origin-when-cross-origin` directives ##### Changed - Bump `connect` version ### [`v3.2.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#320---2016-12-22) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.1.0...v3.2.0) ##### Added - `csp` now allows `manifest-src` directive ### [`v3.1.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#310---2016-11-03) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v3.0.0...v3.1.0) ##### Added - `csp` now allows `frame-src` directive ### [`v3.0.0`](https://redirect.github.com/helmetjs/helmet/blob/HEAD/CHANGELOG.md#300---2016-10-28) [Compare Source](https://redirect.github.com/helmetjs/helmet/compare/v2.3.0...v3.0.0) ##### Changed - `csp` will check your directives for common mistakes and throw errors if it finds them. This can be disabled with `loose: true`. - Empty arrays are no longer allowed in `csp`. For source lists (like `script-src` or `object-src`), use the standard `scriptSrc: ["'none'"]`. The `sandbox` directive can be `sandbox: true` to block everything. - `false` can disable a CSP directive. For example, `scriptSrc: false` is the same as not specifying it. - In CSP, `reportOnly: true` no longer requires a `report-uri` to be set. - `hsts`'s `maxAge` now defaults to 180 days (instead of 1 day) - `hsts`'s `maxAge` parameter is seconds, not milliseconds - `hsts` includes subdomains by default - `domain` parameter in `frameguard` cannot be empty ##### Removed - `noEtag` option no longer present in `noCache` - iOS Chrome `connect-src` workaround in CSP module