Nette Http 3.4.0 has been released

A new version of Nette Http 3.4.0 is out. The two headline features each got their own article:

• SSRF protection – new UrlValidator and IPAddress classes block Server-Side Request Forgery in a single line, covering private ranges, cloud metadata, IPv4-mapped IPv6 and DNS rebinding (article)
• End of CSRF cookies – the new Request::isFrom() method detects a request's origin from the Sec-Fetch-* headers, so protection becomes stateless and can finally tell same-origin from same-site (article)

Other new features:

• Modern cookies: setCookie() now sends Max-Age, supports partitioned cookies (CHIPS) via partitioned: true, and auto-enforces Secure for SameSite=None or partitioned cookies
• New SameSite enum (SameSite::Lax etc.) accepted by setCookie() and Session::setCookieParameters(); the old string constants are deprecated
• Unified expiration handling across setCookie(), Session::setExpiration() and session sections: a number is a relative number of seconds, a string is an interval ('20 minutes') or a date; setCookie() also accepts DateTimeInterface. A session cookie is now represented by null
• detectLanguage() understands the * wildcard in the Accept-Language header (commonly sent by API clients and bots)

Changes:

• isSameSite() is deprecated and now delegates to isFrom()
• Passing an absolute UNIX timestamp as expiration is deprecated
• Requires PHP 8.3+
• deprecated Request::getRemoteHost() returns null; the long-deprecated UserStorage class was removed

Full release: https://github.com/…s/tag/v3.4.0