Skip to content

Releases: adonisjs/http-server

Escape exception messages in HTML responses and add request.prefetch method

Choose a tag to compare

@github-actions github-actions released this 22 Jun 07:02
Immutable release. Only release title and notes can be modified.

9.1.0 (2026-06-22)

Bug Fixes

  • escape exception messages in HTML responses (5d7465d)

Features

  • add request.prefetch() to detect speculative prefetch requests (550f429)

What's Changed

  • chore: harden release workflow for supply-chain security by @thetutlage in #120
  • chore(deps): bump actions/stale from 9 to 10 by @dependabot[bot] in #122
  • chore(deps): bump actions/setup-node from 4.4.0 to 6.4.0 by @dependabot[bot] in #124
  • chore(deps): bump actions/checkout from 4 to 6 by @dependabot[bot] in #123

Full Changelog: v9.0.2...v9.1.0

Escape exception messages in HTML responses

Choose a tag to compare

@github-actions github-actions released this 22 Jun 06:51
Immutable release. Only release title and notes can be modified.

8.2.1 (2026-06-22)

Bug Fixes

  • escape exception messages in HTML responses (71a0a8e)

Full Changelog: v8.2.0...v8.2.1

Make Router class macroable to be extended from outside-in

Choose a tag to compare

@github-actions github-actions released this 27 May 14:34
Immutable release. Only release title and notes can be modified.

9.0.2 (2026-05-27)

Bug Fixes

What's Changed

Full Changelog: v9.0.1...v9.0.2

Use internal host method when returning request authority

Choose a tag to compare

@github-actions github-actions released this 25 May 03:20

9.0.1 (2026-05-25)

Bug Fixes

  • use internal host method when fetching request authority (0a30965)

Full Changelog: v9.0.0...v9.0.1

HTTP/2 authority support for redirect referrer validation

Choose a tag to compare

@github-actions github-actions released this 19 May 10:33

Added

  • HttpRequest#authority() — returns the HTTP/2 :authority pseudo-header, falling back to the Host header
    when :authority is absent. Unlike host(), it ignores X-Forwarded-Host and trustProxy, since no proxy
    convention forwards the original :authority.

Fixed

  • Referrer validation on HTTP/2getPreviousUrl (used by redirect-back) now validates the Referer against
    request.authority() instead of reading headers['host'] directly. On HTTP/2 the Host header can be absent
    (authority carried by :authority), which previously broke referrer-host matching.
  • Redirect#getPreviousUrl — throws a clear RuntimeException when the Redirect instance has no HTTP context,
    instead of a cryptic Cannot read properties of undefined.
  • Test factoriesHttpRequestFactory and HttpResponseFactory now wire an HttpContext, so request.ctx /
    response.ctx are populated, matching runtime. Factory-created responses can now use response.redirect().back().

Breaking changes

  • getPreviousUrl helper signature changed from (headers, allowedHosts, fallback) to (request, allowedHosts, fallback) — now takes the AdonisJS HttpRequest instance instead of raw IncomingHttpHeaders. Affects only direct
    importers of the helper; request.getPreviousUrl() and redirect().back() are unchanged.

Full Changelog: v8.2.0...v9.0.0

Security fix: open redirect in response.redirect().back()

Choose a tag to compare

@github-actions github-actions released this 14 Apr 06:19

7.8.1 (2026-04-14)

Fixes an open redirect vulnerability in response.redirect().back() where a crafted Referer header could redirect users to an attacker-controlled destination. The referrer is now validated against the request's Host header and a configurable allowedHosts list; invalid or cross-host referrers fall through to a safe fallback. Backported from 8.x (8.1.3).

response.redirect().back() no longer blindly trusts the Referer header. If the referrer host does not match the request host and is not listed in redirect.allowedHosts, back() now returns the fallback (/ by default). Apps that legitimately redirect back to an external host must add it to allowedHosts.

defineConfig({
  redirect: {
    allowedHosts: [],         // extra hosts accepted as referrers
    forwardQueryString: false // default for .withQs() on redirects
  }
})

Features

  • isValidRedirectUrl(url, currentHost?, allowedHosts?) — reusable URL validator (rejects protocol-relative //evil.com, validates absolute URL hosts)
  • getPreviousUrl(headers, allowedHosts, fallback) — helper used internally
  • request.getPreviousUrl(allowedHosts, fallback?) — exposed on HttpRequest
  • redirect.getPreviousUrl(fallback) — exposed on Redirect
  • redirect.back(fallback = '/')back() now accepts a custom fallback
  • redirect.withQs(boolean) — overload to explicitly enable/disable query-string forwarding (useful when forwardQueryString: true is set as the default)

Bug Fixes

  • prevent open redirect in redirect back via referrer host validation (29cdb1c)

Full Changelog: v7.8.0...v7.8.1

Add isValidRedirectUrl helper to be re-used by other packages

Choose a tag to compare

@github-actions github-actions released this 09 Apr 09:04

8.2.0 (2026-04-09)

Features

  • add isValidRedirectUrl helper, ctx on Redirect, and helper tests (2008fb6)

Full Changelog: v8.1.3...v8.2.0

Secure redirect-back with host validation and new configuration options

Choose a tag to compare

@github-actions github-actions released this 09 Apr 06:46

8.1.3 (2026-04-09)

Redirect back now validates the referrer URL against the request's Host header and a configurable allowedHosts list, preventing open-redirect vulnerabilities.

Additions

  • getPreviousUrl helper, available on both the HttpRequest and Redirect classes, for resolving the previous URL in one place.
  • Redirect extends Macroable, so you can override getPreviousUrl with your own resolution logic (for example, reading from a session)
  • forwardQueryString config option to control the default behavior.
  • redirect.withQs(boolean) overload for per-call control over query-string forwarding

Bug Fixes

  • prevent open redirect in redirect back via referrer host validation (ebba697)

Full Changelog: v8.1.2...v8.1.3

Catch malformed URIs and return 400

Choose a tag to compare

@github-actions github-actions released this 07 Apr 05:04

8.1.2 (2026-04-07)

Bug Fixes

  • return 400 for requests with malformed percent-encoded URIs (e96808e), closes #118

Full Changelog: v8.1.1...v8.1.2

Fix build issue

Choose a tag to compare

@github-actions github-actions released this 20 Mar 14:15

8.1.1 (2026-03-20)

Bug Fixes

  • rollback tsdown version for now (2f86348), closes #116