Download Latest Version v1.1.1 source code.tar.gz (38.7 kB)
Email in envelope

Get an email when there's a new version of security-headers

Home / v1.1.0
Name Modified Size InfoDownloads / Week
Parent folder
README.md 2026-04-19 769 Bytes
v1.1.0 source code.tar.gz 2026-04-19 33.9 kB
v1.1.0 source code.zip 2026-04-19 53.7 kB
Totals: 3 Items   88.3 kB 0

What's New

New analyzer checks Set-Cookie headers for Secure, HttpOnly, and SameSite attributes. Flags missing security attributes with actionable remediation advice.

CSP scoring improvement

unsafe-inline in style-src now receives a reduced penalty (-1) compared to script-src (-2). Nearly every CSS framework requires style-src 'unsafe-inline' and it poses far less risk than script-src — scores are now fairer.

Fixes

  • --version was hardcoded to 1.0.0 — now reads dynamically from package.json
  • HTTP client now preserves individual Set-Cookie headers as an array (fixes corruption from comma-joining)

Full Changelog: https://github.com/trustyourwebsite/security-headers/compare/v1.0.1...v1.1.0

Source: README.md, updated 2026-04-19