Social server with an ActivityStreams API
APACHE-2.0 License
Bot releases are hidden (Show)
Published by strugee almost 8 years ago
Published by strugee almost 8 years ago
Published by strugee almost 8 years ago
Published by strugee almost 8 years ago
Published by strugee almost 8 years ago
No changes from 2.0.0 beta 2.
Published by strugee almost 8 years ago
Published by strugee almost 8 years ago
data-bypass
attribute is now ignored by the routing logic (useful for e.g. custom pages added by the admin)Published by strugee about 8 years ago
This release adds many security features. It's recommended that admins upgrade as soon as possible.
Please note that while we're not doing so yet, we're planning to deprecate running under Node.js 0.10 and 0.12 very soon. Additionally, upgrading to Node.js 4.x early will enable the new, better XSS scrubber - however, be aware that pump.io is far less tested under Node.js 4.x and you are likely to run into more bugs than you would under 0.10 or 0.12.
See #1184 for details.
Content-Length
header in Dialback requestsX-Content-Type-Options: nosniff
(#1184)X-Download-Options: noopen
(#1184)X-XSS-Protection: 1; mode=block
(#1184)X-Frame-Options: DENY
header (in addition to Content Security Policy) (#1184)Content-Security-Policy
header is sent with every response (#1184)
cdnjs.cloudflare.com
and ajax.googleapis.com
<object>
, <embed>
, and <applet>
, as well as all plugins, are forbidden<frame>
, <iframe>
, <object>
, <embed>
, and <applet>
is forbiddenXMLHttpRequest
, WebSockets or EventSource
is forbidden<frame>
, <iframe>
) is forbidden except from the application domaindisplayName
properties if they're empty (#1149)package.json
now uses a valid SPDX license identifier (#1112)