Changelog

Version 2.0.0

Support for MCP Protection (Agentic Trust) via px_agentic_trust_enabled and px_agentic_trust_mcp_endpoint_path configurations
Support for snippet injection via px_snippet_injection_enabled and px_create_custom_snippet configurations
Support for proxy URL via px_proxy_url configuration
Support for data enrichment header via px_data_enrichment_header_name configuration
Support for async timeout via px_async_timeout configuration
Support for configuring whether async HTTP requests are awaited via px_await_async_http_requests configuration
Support for response custom parameters 11-20 extracted from the origin response via px_enrich_response_custom_parameters
Support for Hard Block action
Support for regex-formatted strings (e.g., "/^\/path$/i") in route and user-agent filter configurations (px_sensitive_routes, px_monitored_routes, px_enforced_routes, px_graphql_routes, px_filter_by_route, px_filter_by_user_agent, px_graphql_keywords, px_sensitive_graphql_operation_names)
Support for regular expressions in px_filter_by_user_agent
orig_cookie_vid field added to all Enforcer activities
is_sensitive_route field added to risk API and async activities
Request object now passed to response custom parameters function (px_enrich_response_custom_parameters)

Updated perimeterx-js-core to v0.37.1
Telemetry activity update_reason field now reflects the reason for telemetry (command or risk) and includes a request_id field

Added GraphQL query keyword extraction via string/regex (px_graphql_keywords) and custom function (px_extract_graphql_keywords)
Added support for cookie secret rotation
Modified telemetry activity to include all types of config and include redacted sensitive configuration fields
Changed default value for px_bypass_monitor_header changed from empty string to “x-px-block”
Changed configuration px_sensitive_graphql_operation_names expanded to include regular expressions and applies to extracted GraphQL keywords as well
Fixed issue where unvalidated _pxvid value was added to the captcha page
Fixed issue where regular expressions occasionally failed on calls to test() due to global flag
Fixed BodyLoginSuccessfulParser bug by implementing text() method in OutgoingResponse
Replaced \\/ with / in the telemetry regex fields value
Fixed GraphQL operation name extraction issue

Added support for URL decode reserved characters feature
Added risk_start_time and enforcer_start_time fields to enforcer activities
Added base64-encoded URL and HTTP method to captcha script query parameters on block pages
Added configuration for adding the Secure flag to PXHD cookie
Added custom function configurations for filtered, enforced, monitored, and sensitive requests
Changed Bot Defender captcha page to include client-side first party timeout
Fixed JSON parsing issue with generated package.json for CommonJS library build
Fixed inaccurate types for px_filter_by_route, px_monitored_routes, px_enforced_routes, px_sensitive_routes, px_graphql_routes configs to be Array<string | RegExp>

Updated HUMAN JavaScript Core to v0.3.0
Updated additional dependencies
Added support for GraphQL including:
- Customized GraphQL routes
- Multiple GraphQL operations
- Sensitive GraphQL operations by name or type
Fixed minor fixes to align activities to spec (px_orig_cookie, async activity headers)
Fixed bug that disregarded block action returned from risk v2 response
Custom cookie header is processed in addition to (not instead of) default cookie header
Custom cookie header default value has been set to x-px-cookies