Changelog

v24.08 (2024-08-30)

Features

  • The metrics shown in the Management Portal have gotten an overhaul and now include counters for various types of suspicious requests.
  • The Management Portal now displays information about any loaded TLS certificate used by an endpoint.
  • Added an initial mechanism for detecting client side debugging attempts. We will be expanding the capabilities of this feature over time.
  • Added an experimental feature for more thorough client side tamper checks and JavaScript runtime environment hardening.

Improvements

  • Session ID are now part of the the request logs.
  • Protection of dynamically inserted scripts can now also be bypassed using the bypassANP feature.
  • Improved the performance of metrics pushed from the worker proxys. Metrics are now only pushed every 30 seconds.
  • Our calls to redis now avoids the KEYS function. This has no practical impact on Codesealer’s functionality.
  • It is now possible to delete TLS certificates previously installed on an endpoint in the Management Portal.
  • Codesealer’s integrated WAF has moved from using libmodsecurity to OWASP Coraza. This provides a tighter, simpler integration with the rest of the Codesealer codebase, and offers better WAF logs. Coraza fully supports the OWASP Core Ruleset.
  • The size of the Codesealer Core binary has been reduced by approximately 5MB.

Bugfixes

  • Fixed an issue where backend responses with “Content-Encoding: deflate” would not be decoded correctly.
  • Fixed an issue where the request body of an XHR request would not be sent if the protection was disabled using the bypassANP feature.
  • Fix an issue where cookies would not be sent on cross-site XHR requests to a bypassed domain.
  • Fix an issue where cookies would not be sent on cross-site script requests to a bypassed domain triggered by e.g. appendChild .
  • Fixed an issue where accessing some fields of the protected WebSocket object would return undefined.
  • Fixed an issue where passing a single string as the protocol argument to the WebSocket constructor would not work correctly when WebSocket protection was enabled.
  • Fixed an issue where Codesealer protection would break sites that use Cloudflare’s Rocket Loader. Note that Rocket Loader’s functionality is bypassed when using Codesealer.
  • Fixed an issue where Codesealer protection would have a negative impact on Google indexing.

v24.05 (2024-05-30)

Features

  • Added a new feature for detecting and optionally blocking suspicious user agents.
  • Added an option to set the log level on Codesealer Core.
  • Added an option to disable ANP protection for specific domains.
  • Added an option to remotely disable protection for mobile clients using the Codesealer SDK.
  • Added a compatibility option for sites that use document.write.
  • Added a compatibility option that allows Codesealer to work with Webpack’s automatic publicPath option.
  • Added support for import.meta.url in modules bundled by Codesealer.
  • Added support for zstd compression.

Improvements

  • Several issues around WebSockets have been fixed. This also means that the WebSocket protection feature is no longer in beta.
  • Several logging improvements have been made. In particular, most messages concerning a request is now attached to the request log itself. This should make it easier to identify which request caused a particular issue.
  • Mobile requests are now also covered by Codesealer’s replay protection.
  • The disallowLocal and disallowPrivate options have been made more flexible. In addition to their previous behaviours, it is now possible to enable the options unless there is a configure endpoint that matches the request.
  • The injectDOMContentLoaded and bodyOnloadCompat options have been removed - they are now permanently enabled.
  • Blob and data URLs are now supported for protected fetch and XHR.
  • Synchronous XHR requests are now handled, but they are not protected.
  • A warning is now logged when a script URL cannot be parsed, instead of the entire request failing.
  • Improved speed and reduced allocations of HTML parsing.
  • Increased performance by significantly reducing number of allocations in various places.
  • Reduced the overhead of ANP requests.
  • Made several improvements to how Codesealer handles various events fired by the browser.
  • Improved handling of various XHR properties, e.g. response, responseXML, and overrideMimeType.

Bugfixes

  • Fixed an issue where cookies were not sent for mobile requests.
  • Fixed several cases where cookies would not be sent correctly on protected requests.
  • Fixed an issue where URL query parameters on script requests were unnecessarily encoded, which could lead to failed requests.
  • HTML script tags with onload attributes now correctly run the onload function.
  • Control characters (like newlines) are now removed from script URLs.
  • Fixed an issue when request URLs contained spaces.
  • Fix an issue when wildcards were used together with app throttling.
  • Handled an issue where blob fetch requests would not be handled correctly if the url property of the request had been redefined.
  • We now send the correct Accept-Encoding header on proxied and protected requests.
  • Fixed an issue where <script> tags inside <template> tags would be wrongly executed.
  • Fixed an issue where the initial cryptographic handshake would fail with low probability.
  • Fixed an issue where Codesealer requests could be sent to the wrong hostname in certain cases.
  • Fixed an issue where documents with content type text/html that didn’t actually contain HTML would cause parse errors.
  • Fixed an issue where dynamically inserted scripts would use the wrong this value.
  • Fixed a number of issues with the new windowScopeCompat option.
  • Fixed an intermittent issue that would cause the browser component to fail.
  • Fixed an issue where script tags using data URLs in their src attribute would not load.
  • Fixed an issue where HTML documents with BOMs would not have protection applied.
  • Fixed an issue that would cause some inline modules to not load.

v24.02 (2024-02-29)

Features

  • We have extended our support for different variants for Redis. We now support Redis Cluster, Redis Sentinel and Redis Enterprise.
  • Breaking change: The exposeJSVars compatibility option has been deprecated in favor of the new windowScopeCompat which will handle scoping issues automatically. If the exposeJSVars option was used previously, the new option should be enabled instead.
  • Codesealer’s Application Network Protection has been enhanced with replay protection.

Improvements

  • Improved logging in case of suspicious or potentially malicious requests.
  • Connection error logs are now attached to the request logs for easier analysis.
  • Added a warning log when the configuration contains unknown items.
  • Cookies set by Codesealer now has the Secure flag when appropriate.
  • Added retry logic for the initial connection to Redis.
  • Reduced the amount of data stored in Redis.
  • The default value for redisConnectTimeout was increased from 50 ms to 250 ms.
  • The bootPrefix config option has been deprecated.
  • Removed several deprecated CLI options from Codesealer Core and Core Manager.
  • The WAF now supports rules that parse XML.

Bugfixes

  • Fixed several issues where some requests could be wrongly routed.
  • Fixed an issue where some headers were missing on protected requests.
  • The Referer header is now set on ANP requests.
  • Fixed several issues with erroneous X-Forwarded headers on ANP requests.
  • The async argument to XMLHttpRequest is now correctly handled.
  • The protection path filter option now bypasses all protection, instead of just script protection.
  • Fixed an issue where the WAF monitor mode was not respected on ANP requests.
  • Added a workaround for sites using Cloudflare Turnstile.
  • Fixed an issue with erroneous “could not close idle HTTP connections” log errors.
  • Fixed a possible race condition when endpoint configuration was updated.
  • The cacheEnabled option has been moved to the right part of the default config file.

v23.11 (2023-11-30)

Features

  • Codesealer now supports ES6 modules! This is achieved by bundling the module code server side before sending it to the browser. As a consequence, some ES6 module features are degraded, e.g. lazy loading of code. Note also that any nomodule scripts will not be executed by Codesealer. As part of this feature, a new minifyBundles option allows for minification of bundled module code.
  • Codesealer now supports Redis Enterprise, including clustering and sharding. This allows use cases where a highly resilient Redis deployment is needed.
  • It is now possible to specify which backend each worker should use for session data storage using the bootloader.sessionBackend option. See the documentation for more details.

Improvements

  • Breaking change: TLS certificates used for Redis connections are now verified by default. A new redisIgnoreTLS option has been added to allow changing this behavior.
  • Breaking change: Codesealer now strictly enforces a Redis version of 6.2.0 or newer. If using an older version, the Redis deployment should be updated before updating to this version of Codesealer.
  • Request logging has had an overhaul, resulting on more detailed information about incoming and outgoing requests. See the documentation for details about the log format.
  • The timestamp format on log messages has been changed to RFC3339Nano to allow greater time granularity.
  • Paths specified in the proxyPathFilter and protectionPathFilter options are now case-insensitive.
  • Three new options have been added that allow tweaking the timeouts for Redis connections: redisConnectTimeout, redisReadTimeout, and redisWriteTimeout.
  • The smallest allowed value for the RedisMaxConn option has been increased to 10.
  • An error is now logged in the console if Codesealer fails to fetch a dynamically inserted script.
  • When using the fsEndpoints feature, the endpoint.uuid and endpoint.organization options no longer need to be set.
  • The character limit for the scriptReplace option has been increased to 200.
  • We have made several minor improvements to our client side security.
  • We have made several improvements to the performance of the reverse proxy.

Bugfixes

  • The stripContentSecurity option now works correctly when the Content Security Policy is specified in a <meta> tag.
  • Fixed an issue where certain requests paths were being mangled.
  • The WAF now correctly parses request bodies.
  • Fixed an issue where Redis connections could deadlock. In general the amount of time Redis connections are held has been decreased.
  • Several fixes has been made to the App Throttling feature. The feature now works without having ANP enabled and generally uses less memory.
  • The way wildcard matching works in various places has been aligned. The documentation has been updated with the details of how wildcard matching works.
  • Fixed an issue where Codesealer would generate cookies despite protection being disabled.
  • Fixed an issue where Redis would cause erroneous errors.

v23.08 (2023-08-31)

Features

  • Added an Application Throttling feature. When enabled, the client will be presented with a Proof-of-Work challenge that has to be solved before Codesealer will serve the actual application. This can help mitigate some Denial of Service attack scenarios.
  • Added a Kill Switch feature. When enabled, all traffic to the given endpoint will be dropped as early as possible. This can be used to mitigate smaller DoS attacks on multi-endpoint deployments.
  • Added an option to invert the IP Bypass list. This can be used to only serve Codesealer protection to specific IPs, which can be useful in testing scenarios.
  • Added an option to bypass Codesealer protection on specific paths (protectionPathFilter). This can for example be used to disable protection in specific parts of a site.
  • Added an option to enable the WAF in Monitor Mode. When Monitor Mode is enabled, the WAF will no longer block requests that trigger the rules, but will instead just log details about the detected request.

Improvements

  • Breaking change! The old options for only allowing ANP traffic on an endpoint and path level (anpOnly and anpOnlyPath) have been replaced with a unified, firewall style list of ANP only rules (proxyPathFilter). This can for example be used to block all non-ANP traffic to APIs at a /api path.
  • We have switched the algorithm we use for our cryptographic handshake from Classic Diffie-Hellman to Elliptic Curve Diffie-Hellman using x25519. This brings both an increase in speed and in security level of the handshake.
  • Codesealer now forwards the User-Agent header to the backend, if it is present.
  • Improved how disabled endpoints and bypassed IPs interact with other Codesealer features.
  • The log output from the WAF now has a cause field which should make it easier to filter and process these logs.
  • We have made improvements to how paths are parsed in options such as proxyPathFilter and protectionPathFilter.
  • Several minor improvements were made to Codesealer’s protection.

Bugfixes

  • The WAF and strict mode are now properly disabled when the endpoint is disabled.
  • Fixed an issue where events added to protected XHR requests using addEventListener would not fire correctly.
  • Fixed an issue where the getResponseHeaders on protected XHR requests was incorrectly case sensitive.
  • Fixed several issues around Codesealer cookies on protected requests.
  • Fixed an issue where having multiple endpoints with different remote in, but the same remote out, could cause the wrong SNI to be used for requests.
  • Fixed an issue where the Content-Length header was not always correctly set on ANP requests.
  • Fixed an issue where forcing decryption of very short payloads could cause a panic.

v23.05 (2023-05-31)

Features

  • Added an option to enforce “strict sessions”. When this is enabled HTTP methods other than GET, HEAD, and OPTIONS from clients without an active Codesealer session will be blocked.
  • Added an option to block all non-ANP requests for an entire endpoint or select path prefixes on an endpoint.
  • A new flagged log field has been added. This field will be set on a request if Codesealer detects any suspicious behaviour, e.g. in case of decryption failures.
  • Added a compatibility option to not remove ES6 module scripts. This can solve issues where non-module scripts are erroneously marked as modules.
  • It is now possible to specify environment variable placeholders in the configuration file.

Improvements

  • Breaking change! The cryptographic algorithms used by Codesealer have had a major overhaul. The result is a major performance improvement server side and a minor improvement client side. As a consequence the wire format of our protocol changed, preventing a rolling upgrade from v23.03 to v23.05.
  • Breaking change! The feature to protect scripts inserted with appendChild has been extended to all other ways of inserting scripts into the DOM. As a consequence, the relevant option has been renamed from compatAppendChild to protectDynamicContent and needs to be reapplied in the management portal.
  • As a security precaution, the reverse proxy will now remove any HTTP Server header before sending a response back to the client.
  • The type field in the log has had a couple of new variants added.
  • A list of supported browser versions has been added to the documentation.
  • The concept of a “tenant” in the configuration file has been renamed to an “endpoint” to more closely reflect the naming in the management portal.
  • Various minor performance improvements.

Bugfixes

  • Fixed a bug in our network stack that would cause multiple HTTP/2 requests to be handled serially instead of in parallel. For large requests, this would severely degrade performance.
  • HTML tag attributes should now be escaped correctly.
  • Fixed an issue where the check for allowed domains would only affect external domains.
  • Fixed an issue where relative URLs would resolve incorrectly.
  • Various bug fixes for Safari.
  • The tables in the management portal now sort in ascending order by default.
  • Fixed an issue where incomplete request information would be sent to analytics.

v23.03 (2023-03-31)

Features

  • Codesealer's log format has been completely overhauled. All logs are now structured JSON logs.
  • A new caching implementation has been added that allows for much more fine grained control of what resources Codesealer Workers are allowed to cache.
  • Added a X-CS-RequestID header to ANP requests to more easily track these in the Codesealer worker logs.
  • The "Use Outgoing Endpoint URL as TLS SNI" option has been replaced with two new options that provide more fine grained control: "SNI Overwrite" and "Hostname Overwrite".
  • Added an option to retain most attributes of <script> tags protected by Codesealer.
  • Added an option to specify the minimum TLS version a Codesealer Worker should support. Additionally, Workers will no longer offer to use insecure cipher suites.
  • The bootloader.multiTenant option, a long with many related configuration options, has been removed. Instead, a bootloader.fsTenants option has been added which allows a Codesealer Worker to run without the Management Portal. This is mainly intended for debuging purposes.
  • Added initial beta support for WebSockets.

Improvements

  • Server side performance was improved substantially, both with regards to CPU and memory usage. The result is a big increase in the number of requests per second the proxy can handle.
  • HTML servered by Codesealer is now compressed when Accept-Encoding allows for it.
  • ANP requests are now compressed.
  • Multiscript optimization is now permanently enabled as this mode is much more performant. The old “Multiscript compatibility mode” option has been split into two new options: one regarding scripts placed after body or html elements and one regarding onload attributes on body tags.
  • Codesealer's cookie implementation has been improved, resulting in much smaller added cookies. Additionally, an option to entirely disabled cookies has been added.
  • Cookies are now also send on requests for protected scripts in the HTML document.
  • Improved handling of non-canonicalized request headers.
  • Several options that tweak the Worker's behaviour have been removed. Their previous default values are now used.
  • The "Require X-CS-Bootloader header" option was removed.
  • The "Base URL" option was removed. The "Remote In" URL is now always used as the base URL for bootloader requests.
  • All cryptographic comparisons on the server side are now constant time.

Bugfixes

  • Fixed an issue with inline scripts.
  • Fixed an issue when trying to request external resources through ANP.
  • Fixed an issue where ‘blob:’ and ‘data:’ requests would be made through the Codesealer proxy.
  • Fixed a bug where Codesealer would make requests to a wrong port if the remote in and remote out URLs had different schemes.
  • Fixed a bug where wildcards in the remote input URL were not handled correctly.
  • Fixed a bug in how Codesealer handled script source links with query parameters that contain spaces.
  • Fixed a bug where 204 No Content responses would not be handled correctly.
  • Fixed an erroneous log message when network.behindProxy was true and no X-Forward-For header was set.
  • Fixed an issue where Codesealer would set the wrong Content-Length header on HEAD requests.

v23.01 (2023-01-19)

Improvements

  • Improved handling of scripts with a preload attribute.
  • Improved handling of cookies when ANP is enabled.

Bugfixes

  • Fixed a bug in how Codesealer handled X-Forward-For headers without ports.
  • Fixed a bug when requests with wrongly cased Content-Type headers were made.

v22.12 (2022-12-12)

Features

  • Added an option to do simple string replacements on scripts that are protected by Codesealer.

Improvements

  • Added a compatibility mode for modifying absolute Location headers that point a the remote out endpoint to be relative. This is to avoid cases where redirects would circumvent Codesealer protection.

Bugfixes

  • Various bugfixes for Safari.
  • Fixed an issue where fetch bodies would not be transmitted in Firefox.

v22.11 (2022-11-01)

Improvements

  • Improved handling of the Content-Type header for ANP requests.

v22.10 (2022-10-12)

Features

  • Added an option to whitelist endpoints for ANP requests.
  • Added support for using Let’s Encrypt certificates for Codesealer workers.

Improvements

  • The "Users" list in the manager portal now shows which users have 2FA enabled.
  • Made improvements to how Codesealer interacts with Content Security Policy.
  • Added a compatibility mode where scripts inserted via appendChild will also be protected by Codesealer.

Bugfixes

  • Codesealer longer removes scripts that do not have a source or any content.
  • Fixed a bug in how an endpoint's allowed domains were handled.

v22.08 (2022-08-30)

Features

  • 2FA can now be set up for users in the Mangement Portal.
  • Added the option to whitelist IPs.
  • Added an option to modify the base URL of bootloader requests.
  • Added an option to expose ANP XMLHttpRequest and fetch on the window object.

Improvements

  • WAF rules now also apply to ANP requests.
  • Added support for chunked delivery of resources.
  • Codesealer now removes standard (80/443) ports from Host headers.
  • Removed the ES6 Modules compatibility mode. This option is now always on.

Bugfixes

  • Fixed an issue when the input and output URL did not have the same scheme.