What's New
Version 6.4.0
Released 2024-12-04
- Added support for snippet injection feature (
px_snippet_injection_enabled
andpx_create_custom_snippet
configurations) - Added
remote_config_id
field to activities
Version 6.3.2
Released 2024-08-07
- Added cookie secret rotation support
- Adding a configuration to include/exclude the request url in captcha block page.
- Support changing the blockers in an easier way
- IUrlSearchParams no longer requires method forEach.
- converted fields: login_successful_reporting_method, sent_through of CredentialEndpointConfiguration to optional.
Version 6.3.1
Released 2024-07-03
- Fixed issue where login successful reporting method of
body
would return false or throw an error due to original response body being used - Replaced
\\/
with/
in the regex values reported in the enforcer telemetry activity
Version 6.3.0
Released 2024-06-24
- Added GraphQL query keyword extraction via string/regex (
px_graphql_keywords
configuration) and custom function (px_extract_graphql_keywords
configuration). This - Added support for regular expressions in remote configuration fields
- Changed default value for
px_bypass_monitor_header
from empty string to"x-px-block"
- Configuration
px_sensitive_graphql_operation_names
expanded to include regular expressions and applies to extracted GraphQL keywords as well - Telemetry activity includes redacted sensitive configuration fields
- Fixed issue where global regular expressions occasionally failed (only applies to regular expressions defined with the
g
global flag) - Fixed issue where remote config changes did not change logger severity
Version 6.2.0
Released 2024-05-16
- Fixed issue where unvalidated _pxvid value was added to the captcha page
- Support multiple config types (active, static, remote)
- Modify telemetry activity to include all types of config
- Changed remote config notify method to POST instead of PATCH
- Removed remote config secret from configuration
Version 6.1.1
Released 2024-02-21
- Fixed JSON parsing issue with generated package.json for CommonJS library build
Version 6.1.0
Released 2024-02-18
- Added base64-encoded request http method to captcha script query parameters on block pages
Version 6.0.3
Released 2024-02-12
- Fixed used body issue with filtered requests by making the request mutable only once the context is saved
- Using context logger rather than config logger for request flow
Version 6.0.2
Released 2024-01-25
- Fixed issue with invalid URL query params by adding fallback URL
Version 6.0.1
Released 2024-01-09
- Fixed issue that caused a worker error for filtered requests executed after POST requests (due to reused executionContext)
Version 6.0.0
Released 2024-01-03
- Released as NPM Package with TypeScript Support
- Maintains support for the following features:
- additional activity handler
- advanced blocking response
- block activity
- block page captcha
- block page rate limit
- bypass monitor header
- client ip extraction
- cookie v3
- cors support
- credentials intelligence
- css ref
- custom cookie header
- custom first party endpoints
- custom logo
- custom parameters
- enforced routes
- filter by extension
- filter by http method
- filter by ip
- filter by route
- filter by user agent
- first party
- graphql support
- header based logger
- hype sale challenge
- js ref
- logger
- mobile support
- module enable
- module mode
- monitored routes
- page requested activity
- pxde
- pxhd
- remote config
- risk api
- sensitive headers
- sensitive routes
- telemetry command
- url decode reserved characters
- user identifiers
- vid extraction
Version 5.10.2
Released 2023-12-22
- Fixed first-party captcha URL validation.
Version 5.10.1
Released 2023-12-21
- Fixed issue with proxied requests URL validation
- Performance improvement by calling new Request as needed
Version 5.10.0
Released 2023-12-21
- Updated the configuration of PX first-party requests to include a connection timeout
- Updated the captcha template to handle empty captcha responses.
- Fixed issue with custom first party captcha endpoints
Version 5.9.0
Released 2023-11-29
- Added
risk_start_time
andenforcer_start_time
fields to enforcer activities - Removed the blockedUrl window variable from the block page to prevent XSS vulnerability
- Added blocked URL to the captcha query params
Version 5.8.1
Released 2023-11-15
- Added blocked URL to ABR and captcha template
Version 5.8.0
Released 2023-08-14
- Support for secure flag for PXHD cookies
Version 5.7.1
Released 2023-08-08
- Fixed
ssl_protocol
andclient_uuid
issue on async activities
Version 5.7.0
Released 2023-08-08
- Configure domain for PXHD cookie
- Support for header-based logger
- Support for remote configuration
- Header name changes on Risk API:
- ip changed to socket-ip
- uuid changed to client-uuid
- Added risk activity fields to async activities for improved detection
Version 5.6.0
Released 2023-06-11
- px_metadata supported_features alignment
- Support custom first party endpoints
Version 5.5.0
Released 2023-04-18
- Support CI
both
protocol - Support CI protocol per endpoint
Version 5.4.1
Released 2023-04-02
- Adjusted request.clone() to avoid warnings
- px_s2s_timeout applied to risk_api calls only
Version 5.4.0
Released 2023-03-22
- Support custom is sensitive request via function
Version 5.3.0
Released 2023-03-16
- Custom cookie header is processed in addition to (not instead of) default cookie header
- Custom cookie header default value has been set to x-px-cookies
Version 5.2.0
Released 2023-02-02
- Support extract JWT user id from nested fields payload.
- Support extract JWT additional fields from nested fields payload.
Version 5.1.0
Released 2022-01-26
- Added - Support for CORS preflight requests and CORS headers in block responses, this will prevent the browser from blocking cross-origin requests as a result of a Block.
- Added - Support for px_filter_by_http_method feature
Version 5.0.4
Released 2022-12-11
- Added - Support to configure custom GraphQL endpoints with multiple strings and Regexes and enable/disable GraphQL support via configuration.
- This adds flexibility to support various GraphQL implementations.
- Default configuration will remain '/graphql' and enabled by default for backward compatibility.
Version 5.0.3
Released 2022-11-14
- Added - Support for parsing an array of GraphQL operation objects (extracts first one only)
Version 5.0.2
Released 2022-11-03
- Fixed - GraphQL query parsing ignores whitespace and \n at the beginning of the string
Version 5.0.1
Released 2022-09-20
- Added pass reason enforcer_error
- Changed s2s_error_message field to error_message on page_requested activity.
Version 5.0.0
Released 2022-07-30
- Added the ability to build enforcer in both service worker and module Cloudflare formats.
- Made filter by extension and s2s timeout features configurable rather than needing to edit the built worker.
- Using a global HUMANConfig object, which means the enforcer configuration no longer needs to be built with the worker allowing for easier future enforcer upgrades.
- Unit test expansions and improvements.
- Updated dependencies.
Version 4.5.4
Released 2022-07-28
- Added - Support displaying hype sale challenge on each user attempt to access hype sale and according to the configured limit.
Version 4.5.3
Released 2022-07-18
- Added - A CPA field to a risk activity in case of valid cookie with a CPA field
Version 4.5.2
Released 2022-07-17
- Changed - New hype sale template.
Version 4.5.1
Released 2022-06-30
- Fixed - Add SameSite=Lax to HUMANHD cookie.
Version 4.5.0
Released 2022-06-20
- Added - Support User Identifiers: CTS and JWT.
Version 4.4.2
Released 2022-05-18
- Fix - Update block page to support error handling for mobile.
Version 4.4.1
Released 2022-05-01
- Fix - Include Bypass Monitor Header feature when checking the module mode.
Version 4.4.0
Released 2022-04-13
- Added Credentials Intelligence v2 hashing protocol as the default. The new protocol normalizes and hashes credentials according to a new algorithm that improves accuracy.
- Added custom logo and alternate block script to ABR (JSON block response).
- Changed the block page to use the new template.
Version 4.3.2
Released 2022-03-30
- Fixed an error that caused page_requested activities with s2s_timeout to be sent in cases of block while in monitor mode.
Version 4.3.1
Released 2022-03-27
- Added s2s_error enrichment for enhanced visibility and analysis of errors.
- Added HTTP version field to all enforcer activities.
- Added the decoded cookie to risk_api activities if due to sensitive route.
- Fixed an issue where errors were not logged in debug mode.
- Fixed an issue that caused an exception to be thrown on GraphQL paths.
Version 4.3.0
Released 2022-02-10
- Added support for Hype Sales Challenge
Version 4.2.0
Released 2022-02-08
- Added the automatic reporting of GraphQL operation names and types on HUMAN activities, which improves visibility and detection.
- Added the sensitive GraphQL operation feature, which triggers server-to-server calls for configured GraphQL operation names and types
- Added additional_s2s activity as part of Credentials Intelligence reporting. This additional activity can be sent automatically within the Cloudflare worker or transferred as a header to the origin and sent directly to HUMAN via an XHR POST request.
- Added the ability to report the raw username to HUMAN on the additional_s2s activity in cases where compromised credentials were used to successfully log in
- Enhancements to the login credentials extraction feature, including the option to define custom extraction callbacks for endpoints, and automatic sending of credentials to HUMAN upon successful extraction, and more
Version 4.1.1
Released 2022-01-30
- Added support for automated upgrades, which allows for a faster and easier upgrade experience for enforcer versions moving forward.
Version 4.1.0
Released 2022-01-10
- Added support for snippet injection, which enables to auto inject the custom JS snippet to the client’s HTML pages and is controlled remotely, allowing the flexibility to modify the snippet without having to deploy changes to the production environment
Version 4.0.4
Released 2021-12-29
- Added a field server_info_origin to all enforcer activities, holding the three-letter IATA airport code of the data center where the request originated
Version 4.0.3
Released 2021-12-20
- Added the ability to support multiple username and password fields for the same endpoint as part of the login credentials extraction feature
- Added to ability to filter requests from the enforcer verification flow by specific header & its value
Version 4.0.2
Released 2021-11-22
- Added infrastructure to future support the Credentials intelligence product with a canonical representation of the user credentials
Version 4.0.1
Released 2021-11-08
- Added the request object to px_enrich_custom_params custom config function to enrich the information that user can send to HUMAN
- Differentiate custom code logic from the core functionality module. The config object now consist only of customer configuration without any internal logic
Version 4.0.0
Released 2021-10-25
- Restructuring of the module code to enable quick and simple upgrades moving forward, which will ease efforts to keep the enforcer up to date and allow fast delivery of new capabilities by HUMAN. Separate worker into customer facing and core sections (Config, HUMANCore, Main sections)
- Enhanced logs for debugging purposes.
- New configuration key px_login_credentials_http_body_size_limit added to limit the allowed http body size to extract the login credentials and maintain performance
- Support for outputting whether user credentials are compromised on an additional header as part of HUMAN Credential Intelligence product
Version 3.3.0
Released 2021-08-11
- Added ability to sign cookie with the following fields: user agent, IP
Version 3.2.0
Released 2021-07-27
- Support regex path configuration for login credentials extraction feature
Version 3.1.0
Released 2021-07-21
- Bug fix of unsafe cookie handling
Version 3.0.0
Released 2021-06-22
- Added the ability to manage and deploy Cloudflare workers via Wrangler CLI tool
Version 2.9.0
Released 2021-06-01
- Added handler feature which is pre enforcement
- Separation between Bot Defender and Code Defender enforcement functionality - detached mechanisms
Version 2.8.0
Released 2021-05-18
- New feature to support CSP and restrict resources as part of the Code Defender product
Version 2.7.0
Released 2021-04-07
- Added support for the login credentials extraction feature
Version 2.6.2
Released 2021-03-25
- Bug fix to enable better handling for sensor injection
Version 2.6.1
Released 2021-03-10
- Bug fix for enable better URL parsing
Version 2.6.0
Released 2021-02-01
- Bug fix to better handle hashtags
- Bug fix to better verify whitelist extensions
Version 2.5.0
Released 2020-10-25
- Added Upstream Score Header property which specifies a header name that will contain the HUMAN score to be sent to the origin.
- Added Upstream Identifier Header property which specifies a header name that will contain the HUMAN unique identifier (UUID) to be sent to the origin.
- Support for JavaScript Sensor Injection
Version 2.4.2
Released 2020-10-02
- Bug fix to verify HUMANCtx for deferred activities
Version 2.4.1
Released 2020-09-17
- Bug fixed to enable sending deferred activities in monitor mode
Updated 12 days ago