Releases: adonisjs/http-server
Release list
Escape exception messages in HTML responses and add request.prefetch method
9.1.0 (2026-06-22)
Bug Fixes
- escape exception messages in HTML responses (5d7465d)
Features
- add request.prefetch() to detect speculative prefetch requests (550f429)
What's Changed
- chore: harden release workflow for supply-chain security by @thetutlage in #120
- chore(deps): bump actions/stale from 9 to 10 by @dependabot[bot] in #122
- chore(deps): bump actions/setup-node from 4.4.0 to 6.4.0 by @dependabot[bot] in #124
- chore(deps): bump actions/checkout from 4 to 6 by @dependabot[bot] in #123
Full Changelog: v9.0.2...v9.1.0
Escape exception messages in HTML responses
8.2.1 (2026-06-22)
Bug Fixes
- escape exception messages in HTML responses (71a0a8e)
Full Changelog: v8.2.0...v8.2.1
Make Router class macroable to be extended from outside-in
9.0.2 (2026-05-27)
Bug Fixes
What's Changed
- fix: Router should be Macroable by @ThisIsMissEm in #119
Full Changelog: v9.0.1...v9.0.2
Use internal host method when returning request authority
9.0.1 (2026-05-25)
Bug Fixes
- use internal host method when fetching request authority (0a30965)
Full Changelog: v9.0.0...v9.0.1
HTTP/2 authority support for redirect referrer validation
Added
HttpRequest#authority()— returns the HTTP/2:authoritypseudo-header, falling back to theHostheader
when:authorityis absent. Unlikehost(), it ignoresX-Forwarded-HostandtrustProxy, since no proxy
convention forwards the original:authority.
Fixed
- Referrer validation on HTTP/2 —
getPreviousUrl(used by redirect-back) now validates theRefereragainst
request.authority()instead of readingheaders['host']directly. On HTTP/2 theHostheader can be absent
(authority carried by:authority), which previously broke referrer-host matching. Redirect#getPreviousUrl— throws a clearRuntimeExceptionwhen theRedirectinstance has no HTTP context,
instead of a crypticCannot read properties of undefined.- Test factories —
HttpRequestFactoryandHttpResponseFactorynow wire anHttpContext, sorequest.ctx/
response.ctxare populated, matching runtime. Factory-created responses can now useresponse.redirect().back().
Breaking changes
getPreviousUrlhelper signature changed from(headers, allowedHosts, fallback)to(request, allowedHosts, fallback)— now takes the AdonisJSHttpRequestinstance instead of rawIncomingHttpHeaders. Affects only direct
importers of the helper;request.getPreviousUrl()andredirect().back()are unchanged.
Full Changelog: v8.2.0...v9.0.0
Security fix: open redirect in response.redirect().back()
7.8.1 (2026-04-14)
Fixes an open redirect vulnerability in response.redirect().back() where a crafted Referer header could redirect users to an attacker-controlled destination. The referrer is now validated against the request's Host header and a configurable allowedHosts list; invalid or cross-host referrers fall through to a safe fallback. Backported from 8.x (8.1.3).
response.redirect().back() no longer blindly trusts the Referer header. If the referrer host does not match the request host and is not listed in redirect.allowedHosts, back() now returns the fallback (/ by default). Apps that legitimately redirect back to an external host must add it to allowedHosts.
defineConfig({
redirect: {
allowedHosts: [], // extra hosts accepted as referrers
forwardQueryString: false // default for .withQs() on redirects
}
})Features
isValidRedirectUrl(url, currentHost?, allowedHosts?)— reusable URL validator (rejects protocol-relative//evil.com, validates absolute URL hosts)getPreviousUrl(headers, allowedHosts, fallback)— helper used internallyrequest.getPreviousUrl(allowedHosts, fallback?)— exposed onHttpRequestredirect.getPreviousUrl(fallback)— exposed onRedirectredirect.back(fallback = '/')—back()now accepts a custom fallbackredirect.withQs(boolean)— overload to explicitly enable/disable query-string forwarding (useful whenforwardQueryString: trueis set as the default)
Bug Fixes
- prevent open redirect in redirect back via referrer host validation (29cdb1c)
Full Changelog: v7.8.0...v7.8.1
Add isValidRedirectUrl helper to be re-used by other packages
8.2.0 (2026-04-09)
Features
- add isValidRedirectUrl helper, ctx on Redirect, and helper tests (2008fb6)
Full Changelog: v8.1.3...v8.2.0
Secure redirect-back with host validation and new configuration options
8.1.3 (2026-04-09)
Redirect back now validates the referrer URL against the request's Host header and a configurable allowedHosts list, preventing open-redirect vulnerabilities.
Additions
getPreviousUrlhelper, available on both theHttpRequestandRedirectclasses, for resolving the previous URL in one place.RedirectextendsMacroable, so you can overridegetPreviousUrlwith your own resolution logic (for example, reading from a session)forwardQueryStringconfig option to control the default behavior.redirect.withQs(boolean)overload for per-call control over query-string forwarding
Bug Fixes
- prevent open redirect in redirect back via referrer host validation (ebba697)
Full Changelog: v8.1.2...v8.1.3