| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| README.md | 2026-04-19 | 769 Bytes | |
| v1.1.0 source code.tar.gz | 2026-04-19 | 33.9 kB | |
| v1.1.0 source code.zip | 2026-04-19 | 53.7 kB | |
| Totals: 3 Items | 88.3 kB | 0 | |
What's New
Set-Cookie validation
New analyzer checks Set-Cookie headers for Secure, HttpOnly, and SameSite attributes. Flags missing security attributes with actionable remediation advice.
CSP scoring improvement
unsafe-inline in style-src now receives a reduced penalty (-1) compared to script-src (-2). Nearly every CSS framework requires style-src 'unsafe-inline' and it poses far less risk than script-src — scores are now fairer.
Fixes
--versionwas hardcoded to1.0.0— now reads dynamically from package.json- HTTP client now preserves individual
Set-Cookieheaders as an array (fixes corruption from comma-joining)
Full Changelog: https://github.com/trustyourwebsite/security-headers/compare/v1.0.1...v1.1.0