2.5.1

• Abort CSP compiler pass when CSP is not enabled

2.5.0

• Allows matching the query parameter for clickjacking protection
• Cleanup content type restrictable listener
• Added Symfony 4 support
• Added support for 'worker-src' CSP directive
• Removed PHP 5.3 support guarantees
  F- ix CSP noise filter compiler pass registration

2.4.0

• Deprecate calling ContentSecurityPolicyListener::getNonce without usage ('script' or 'style')
• Added forced_ssl > redirect_status_code option to allow switching to permanent redirect (301) responses
• Fixed HSTS header being sent even in non-secure responses unnecessarily
• Fixed URLs with whitespace prefix not being seen as external redirects

2.3.1

• Fix arguments for Twig extension

2.3.0

• Add support for script-src 'strict-dynamic' (see https://w3c.github.io/webappsec-csp/#strict-dynamic-usage)
• Improve CSP filtering
• Remove Twig extension compiler pass in favor of tag
• Use symfony/phpunit-bridge for testing on IC

2.2.4

• Fix exceptions thrown by Report::fromRequest

2.2.3

• Improve CSP filtering

2.2.1

• Fix dependency on UAParser

2.2.0

• Add CSP report filter
• Fix Twig 2 support

Version 2.1.0

• Add support for Referrer Policy
• Content-Security-Policy header can now be disabled
• Fix encrypter deprecation
• Run the test suite on PHP 7.1
• Run the test suite with lowest dependencies