- Added - Support for CORS preflight requests and CORS headers in block responses, this will prevent the browser from blocking cross-origin requests as a result of a Block.
- Added - Support for px_filter_by_http_method feature
- Added - Support to configure custom GraphQL endpoints with multiple strings and Regexes and enable/disable GraphQL support via configuration.
This adds flexibility to support various GraphQL implementations.
Default configuration will remain '/graphql' and enabled by default for backward compatibility.
- Added - Support for parsing an array of GraphQL operation objects (extracts first one only)
- Fixed - GraphQL query parsing ignores whitespace and
\nat the beginning of the string
- Added pass reason enforcer_error
- Changed s2s_error_message field to error_message on page_requested activity.
- Added the ability to build enforcer in both service worker and module Cloudflare formats.
- Made filter by extension and s2s timeout features configurable rather than needing to edit the built worker.
- Using a global pxConfig object, which means the enforcer configuration no longer needs to be built with the worker allowing for easier future enforcer upgrades.
- Unit test expansions and improvements.
- Updated dependencies.
- Added - Support displaying hype sale challenge on each user attempt to access hype sale and according to the configured limit.
- Added - A CPA field to a risk activity in case of valid cookie with a CPA field
- Changed - New hype sale template.
- Fixed - Add SameSite=Lax to PXHD cookie.
- Added - Support User Identifiers: CTS and JWT.
- Fix - Update block page to support error handling for mobile.
- Fix - Include Bypass Monitor Header feature when checking the module mode.
- Added Credentials Intelligence v2 hashing protocol as the default. The new protocol normalizes and hashes credentials according to a new algorithm that improves accuracy.
- Added custom logo and alternate block script to ABR (JSON block response).
- Changed the block page to use the new template.
- Fixed an error that caused
s2s_timeoutto be sent in cases of block while in monitor mode.
s2s_errorenrichment for enhanced visibility and analysis of errors.
- Added HTTP version field to all enforcer activities.
- Added the decoded cookie to
risk_apiactivities if due to sensitive route.
- Fixed an issue where errors were not logged in debug mode.
- Fixed an issue that caused an exception to be thrown on GraphQL paths.
- Added support for Hype Sales Challenge
- Added the automatic reporting of GraphQL operation names and types on PerimeterX activities, which improves visibility and detection.
- Added the sensitive GraphQL operation feature, which triggers server-to-server calls for configured GraphQL operation names and types
additional_s2sactivity as part of Credentials Intelligence reporting. This additional activity can be sent automatically within the Cloudflare worker or transferred as a header to the origin and sent directly to PerimeterX via an XHR POST request.
- Added the ability to report the raw username to PerimeterX on the
additional_s2s activityin cases where compromised credentials were used to successfully log in
- Enhancements to the login credentials extraction feature, including the option to define custom extraction callbacks for endpoints, and automatic sending of credentials to PerimeterX upon successful extraction, and more
- Added support for automated upgrades, which allows for a faster and easier upgrade experience for enforcer versions moving forward.
- Added support for snippet injection, which enables to auto inject the custom JS snippet to the client’s HTML pages and is controlled remotely, allowing the flexibility to modify the snippet without having to deploy changes to the production environment
- Added a field
server_info_originto all enforcer activities, holding the three-letter IATA airport code of the data center where the request originated
- Added the ability to support multiple username and password fields for the same endpoint as part of the login credentials extraction feature
- Added to ability to filter requests from the enforcer verification flow by specific header & its value
- Added infrastructure to future support the Credentials intelligence product with a canonical representation of the user credentials
- Added the request object to
px_enrich_custom_paramscustom config function to enrich the information that user can send to PerimeterX
- Differentiate custom code logic from the core functionality module. The config object now consist only of customer configuration without any internal logic
- Restructuring of the module code to enable quick and simple upgrades moving forward, which will ease efforts to keep the enforcer up to date and allow fast delivery of new capabilities by PerimeterX. Separate worker into customer facing and core sections (Config, pxCore, Main sections)
- Enhanced logs for debugging purposes.
- New configuration key
px_login_credentials_http_body_size_limitadded to limit the allowed http body size to extract the login credentials and maintain performance
- Support for outputting whether user credentials are compromised on an additional header as part of PerimeterX Credential Intelligence product
- Added ability to sign cookie with the following fields:
- Support regex path configuration for login credentials extraction feature
- Bug fix of unsafe cookie handling
- Added the ability to manage and deploy Cloudflare workers via Wrangler CLI tool
- Added handler feature which is pre enforcement
- Separation between Bot Defender and Code Defender enforcement functionality - detached mechanisms
- New feature to support CSP and restrict resources as part of the Code Defender product
- Added support for the login credentials extraction feature
- Bug fix to enable better handling for sensor injection
- Bug fix for enable better URL parsing
- Bug fix to better handle hashtags
- Bug fix to better verify whitelist extensions
- Added Upstream Score Header property which specifies a header name that will contain the PerimeterX score to be sent to the origin.
- Added Upstream Identifier Header property which specifies a header name that will contain the PerimeterX unique identifier (UUID) to be sent to the origin.
- Bug fix to verify pxCtx for deferred activities
- Bug fixed to enable sending deferred activities in monitor mode
Updated 3 days ago