What's New

Version 6.1.1

Released 2024-02-21

• Fixed JSON parsing issue with generated package.json for CommonJS library build

Version 6.1.0

Released 2024-02-18

• Added base64-encoded request http method to captcha script query parameters on block pages

Version 6.0.3

Released 2024-02-12

• Fixed used body issue with filtered requests by making the request mutable only once the context is saved
• Using context logger rather than config logger for request flow

Version 6.0.2

Released 2024-01-25

• Fixed issue with invalid URL query params by adding fallback URL

Version 6.0.1

Released 2024-01-09

• Fixed issue that caused a worker error for filtered requests executed after POST requests (due to reused executionContext)

Version 6.0.0

Released 2024-01-03

• Released as NPM Package with TypeScript Support
• Maintains support for the following features:
  • additional activity handler
  • advanced blocking response
  • block activity
  • block page captcha
  • block page rate limit
  • bypass monitor header
  • client ip extraction
  • cookie v3
  • cors support
  • credentials intelligence
  • css ref
  • custom cookie header
  • custom first party endpoints
  • custom logo
  • custom parameters
  • enforced routes
  • filter by extension
  • filter by http method
  • filter by ip
  • filter by route
  • filter by user agent
  • first party
  • graphql support
  • header based logger
  • hype sale challenge
  • js ref
  • logger
  • mobile support
  • module enable
  • module mode
  • monitored routes
  • page requested activity
  • pxde
  • pxhd
  • remote config
  • risk api
  • sensitive headers
  • sensitive routes
  • telemetry command
  • url decode reserved characters
  • user identifiers
  • vid extraction

Version 5.10.2

Released 2023-12-22

• Fixed first-party captcha URL validation.

Version 5.10.1

Released 2023-12-21

• Fixed issue with proxied requests URL validation
• Performance improvement by calling new Request as needed

Version 5.10.0

Released 2023-12-21

• Updated the configuration of PX first-party requests to include a connection timeout
• Updated the captcha template to handle empty captcha responses.
• Fixed issue with custom first party captcha endpoints

Version 5.9.0

Released 2023-11-29

• Added risk_start_time and enforcer_start_time fields to enforcer activities
• Removed the blockedUrl window variable from the block page to prevent XSS vulnerability
• Added blocked URL to the captcha query params

Version 5.8.1

Released 2023-11-15

• Added blocked URL to ABR and captcha template

Version 5.8.0

Released 2023-08-14

• Support for secure flag for PXHD cookies

Version 5.7.1

Released 2023-08-08

• Fixed ssl_protocol and client_uuid issue on async activities

Version 5.7.0

Released 2023-08-08

• Configure domain for PXHD cookie
• Support for header-based logger
• Support for remote configuration
• Header name changes on Risk API:
• ip changed to socket-ip
• uuid changed to client-uuid
• Added risk activity fields to async activities for improved detection

Version 5.6.0

Released 2023-06-11

• px_metadata supported_features alignment
• Support custom first party endpoints

Version 5.5.0

Released 2023-04-18

• Support CI both protocol
• Support CI protocol per endpoint

Version 5.4.1

Released 2023-04-02

• Adjusted request.clone() to avoid warnings
• px_s2s_timeout applied to risk_api calls only

Version 5.4.0

Released 2023-03-22

• Support custom is sensitive request via function

Version 5.3.0

Released 2023-03-16

• Custom cookie header is processed in addition to (not instead of) default cookie header
• Custom cookie header default value has been set to x-px-cookies

Version 5.2.0

Released 2023-02-02

• Support extract JWT user id from nested fields payload.
• Support extract JWT additional fields from nested fields payload.

Version 5.1.0

Released 2022-01-26

• Added - Support for CORS preflight requests and CORS headers in block responses, this will prevent the browser from blocking cross-origin requests as a result of a Block.
• Added - Support for px_filter_by_http_method feature

Version 5.0.4

Released 2022-12-11

• Added - Support to configure custom GraphQL endpoints with multiple strings and Regexes and enable/disable GraphQL support via configuration.
• This adds flexibility to support various GraphQL implementations.
• Default configuration will remain '/graphql' and enabled by default for backward compatibility.

Version 5.0.3

Released 2022-11-14

• Added - Support for parsing an array of GraphQL operation objects (extracts first one only)

Version 5.0.2

Released 2022-11-03

• Fixed - GraphQL query parsing ignores whitespace and \n at the beginning of the string

Version 5.0.1

Released 2022-09-20

• Added pass reason enforcer_error
• Changed s2s_error_message field to error_message on page_requested activity.

Version 5.0.0

Released 2022-07-30

• Added the ability to build enforcer in both service worker and module Cloudflare formats.
• Made filter by extension and s2s timeout features configurable rather than needing to edit the built worker.
• Using a global HUMANConfig object, which means the enforcer configuration no longer needs to be built with the worker allowing for easier future enforcer upgrades.
• Unit test expansions and improvements.
• Updated dependencies.

Version 4.5.4

Released 2022-07-28

• Added - Support displaying hype sale challenge on each user attempt to access hype sale and according to the configured limit.

Version 4.5.3

Released 2022-07-18

• Added - A CPA field to a risk activity in case of valid cookie with a CPA field

Version 4.5.2

Released 2022-07-17

• Changed - New hype sale template.

Version 4.5.1

Released 2022-06-30

• Fixed - Add SameSite=Lax to HUMANHD cookie.

Version 4.5.0

Released 2022-06-20

• Added - Support User Identifiers: CTS and JWT.

Version 4.4.2

Released 2022-05-18

• Fix - Update block page to support error handling for mobile.

Version 4.4.1

Released 2022-05-01

• Fix - Include Bypass Monitor Header feature when checking the module mode.

Version 4.4.0

Released 2022-04-13

• Added Credentials Intelligence v2 hashing protocol as the default. The new protocol normalizes and hashes credentials according to a new algorithm that improves accuracy.
• Added custom logo and alternate block script to ABR (JSON block response).
• Changed the block page to use the new template.

Version 4.3.2

Released 2022-03-30

• Fixed an error that caused page_requested activities with s2s_timeout to be sent in cases of block while in monitor mode.

Version 4.3.1

Released 2022-03-27

• Added s2s_error enrichment for enhanced visibility and analysis of errors.
• Added HTTP version field to all enforcer activities.
• Added the decoded cookie to risk_api activities if due to sensitive route.
• Fixed an issue where errors were not logged in debug mode.
• Fixed an issue that caused an exception to be thrown on GraphQL paths.

Version 4.3.0

Released 2022-02-10

• Added support for Hype Sales Challenge

Version 4.2.0

Released 2022-02-08

• Added the automatic reporting of GraphQL operation names and types on HUMAN activities, which improves visibility and detection.
• Added the sensitive GraphQL operation feature, which triggers server-to-server calls for configured GraphQL operation names and types
• Added additional_s2s activity as part of Credentials Intelligence reporting. This additional activity can be sent automatically within the Cloudflare worker or transferred as a header to the origin and sent directly to HUMAN via an XHR POST request.
• Added the ability to report the raw username to HUMAN on the additional_s2s activity in cases where compromised credentials were used to successfully log in
• Enhancements to the login credentials extraction feature, including the option to define custom extraction callbacks for endpoints, and automatic sending of credentials to HUMAN upon successful extraction, and more

Version 4.1.1

Released 2022-01-30

• Added support for automated upgrades, which allows for a faster and easier upgrade experience for enforcer versions moving forward.

Version 4.1.0

Released 2022-01-10

• Added support for snippet injection, which enables to auto inject the custom JS snippet to the client’s HTML pages and is controlled remotely, allowing the flexibility to modify the snippet without having to deploy changes to the production environment

Version 4.0.4

Released 2021-12-29

• Added a field server_info_origin to all enforcer activities, holding the three-letter IATA airport code of the data center where the request originated

Version 4.0.3

Released 2021-12-20

• Added the ability to support multiple username and password fields for the same endpoint as part of the login credentials extraction feature
• Added to ability to filter requests from the enforcer verification flow by specific header & its value

Version 4.0.2

Released 2021-11-22

• Added infrastructure to future support the Credentials intelligence product with a canonical representation of the user credentials

Version 4.0.1

Released 2021-11-08

• Added the request object to px_enrich_custom_params custom config function to enrich the information that user can send to HUMAN
• Differentiate custom code logic from the core functionality module. The config object now consist only of customer configuration without any internal logic

Version 4.0.0

Released 2021-10-25

• Restructuring of the module code to enable quick and simple upgrades moving forward, which will ease efforts to keep the enforcer up to date and allow fast delivery of new capabilities by HUMAN. Separate worker into customer facing and core sections (Config, HUMANCore, Main sections)
• Enhanced logs for debugging purposes.
• New configuration key px_login_credentials_http_body_size_limit added to limit the allowed http body size to extract the login credentials and maintain performance
• Support for outputting whether user credentials are compromised on an additional header as part of HUMAN Credential Intelligence product

Version 3.3.0

Released 2021-08-11

• Added ability to sign cookie with the following fields: user agent, IP

Version 3.2.0

Released 2021-07-27

• Support regex path configuration for login credentials extraction feature

Version 3.1.0

Released 2021-07-21

• Bug fix of unsafe cookie handling

Version 3.0.0

Released 2021-06-22

• Added the ability to manage and deploy Cloudflare workers via Wrangler CLI tool

Version 2.9.0

Released 2021-06-01

• Added handler feature which is pre enforcement
• Separation between Bot Defender and Code Defender enforcement functionality - detached mechanisms

Version 2.8.0

Released 2021-05-18

• New feature to support CSP and restrict resources as part of the Code Defender product

Version 2.7.0

Released 2021-04-07

• Added support for the login credentials extraction feature

Version 2.6.2

Released 2021-03-25

• Bug fix to enable better handling for sensor injection

Version 2.6.1

Released 2021-03-10

• Bug fix for enable better URL parsing

Version 2.6.0

Released 2021-02-01

• Bug fix to better handle hashtags
• Bug fix to better verify whitelist extensions

Version 2.5.0

Released 2020-10-25

• Added Upstream Score Header property which specifies a header name that will contain the HUMAN score to be sent to the origin.
• Added Upstream Identifier Header property which specifies a header name that will contain the HUMAN unique identifier (UUID) to be sent to the origin.
• Support for JavaScript Sensor Injection

Version 2.4.2

Released 2020-10-02

• Bug fix to verify HUMANCtx for deferred activities

Version 2.4.1

Released 2020-09-17

• Bug fixed to enable sending deferred activities in monitor mode