Release Notes v2.3.0
Last updated
Last updated
This release includes new features and enhancements to the product. The release updates include:
1. Cross Origin Request Header: Introduces a new feature in the domain settings for each domain, enabling users to enter a value for "cross-origin request". This option relates to the HTTP header Access-Control-Allow-Origin.
To enable Cross Origin Request: Go to the settings page and click the edit button for the domain to locate the domain settings to activate the Cross-Origin Request Header.
Disclaimer: This is an advanced feature, please toggle this feature if your application supports the following configurations, else your application functionality will be affected.
2. Secure Cookie Header: A new functionality that lets users enable or disable a secure cookie flag for a domain in the domain settings. This will add the header Set-Cookie: SameSite=Strict; path=/; secure; HttpOnly.
To enable secure cookies: Access the settings page, click the edit button for the domain to locate the domain settings, and under security headers, activate the Secure Cookie option.
Disclaimer:This is an advanced feature, please toggle this feature if your application supports the following configurations, else your application functionality will be affected.
3. Clickjacking Protection header: A new option in the settings allows users to add a security header to protect against clickjacking attacks. In the enabled state, there are two options:
DENY ALL: When selected, it adds the header: X-Frame-Options: DENY
Allow Only Same Origin: This option adds the header: X-Frame-Options: SAMEORIGIN
To enable Clickjacking Protection: Access the settings page, click the edit button for the domain to locate the domain settings, and under security headers, activate the Clickjacking Protection header.
Disclaimer:This is an advanced feature, please toggle this feature if your application supports the following configurations, else your application functionality will be affected.
4. Content Security Policy: The new feature Content-Security-Policy (CSP) in the settings page is a security mechanism that helps prevent various forms of attacks on web applications, such as Cross-Site Scripting (XSS) and data injection attacks.
Disabled (Default):When the CSP header is disabled, no restrictions are applied to the loading of resources (scripts, stylesheets, images, etc.).
Upgrade-insecure-requests (Force Reload HTTP Content via HTTPS): This option modifies the behavior of how HTTP content (non-secure) is handled by instructing the browser to upgrade insecure requests to HTTPS (secure).
Disclaimer:This is an advanced feature. Please toggle this feature if your application supports the following configurations; otherwise, your application's functionality will be affected.
Cluster-Switcher: Added cluster switcher on applications page and removed website switcher from applications, load balancers, multi-cloud instances, slack-webhook, and activity logs.
PhantomJs Challenge:
An advanced captcha-less challenge that the user cannot see, only a white screen will be seen just before the website loads. During this, an advanced check is carried out in the backend to check for malicious automated traffic.
Consolidate Routing to the Traffic 360 Page: Instead of utilizing the "Explore Traffic" page for applying filters, all traffic data filtering will now be managed directly within the "Traffic 360" page.
Geo-location Filter: Added a new geo-location filter in addition to the existing filters for method, status, and IP.
Action Buttons: Implemented CSV export and print buttons for the traffic table, enabling users to export or print the traffic data easily.
Country Flag in the Table: Displayed the corresponding country flag next to each geo-location entry in the traffic table for easier identification.
Search: Improved the search feature to search in specific fields like IP address, referrer, and request URI.
CRLF Injection Rule: Added one new policy under built in WAF policy. Activating the rule protects against CRLF injection attacks.
Help documentation has been added to the left menu of the dashboard.
Modification of 'Attack Type' column value in the Attacks Page.
Reference links have been added to the settings page.
‘Read Only’ access for built in WAF Policies and exceptions. The user can not toggle the state of the rule and also can not modify the exceptions as well in the WAF-Rules page.
Secondary verification has been implemented for deleting rules.
The option to add allowed IPs has been enabled, even when bot mitigation is disabled.
We propose adding a search bar at the top of the API listing page. This feature will allow users to perform searches on the available APIs. When a query is entered, the search results will dynamically display all APIs that match the search criteria.
Improved the functionality of the attack report generation module.