All Versions
Latest Version
Avg Release Cycle
144 days
Latest Release
1509 days ago

Changelog History
Page 1

  • v1.7.0 Changes

    April 26, 2020

    ๐Ÿ“ข This release of gorilla/csrf changes the default SameSite cookie attribute to address changes in the SameSite spec (see golang/go#36990)

    Previously : The SameSiteDefaultMode in csrf (prior to v1.7.0) would set SameSite on the cookie, which is not valid in some browsers, notably older versions of Chrome/Android. These browsers would not set cookies with this "invalid" attribute.
    Now : The default mode is SameSite=Lax, which is supported by Chrome v51, Firefox v60, Safari v13 and most recent browsers.

    ๐Ÿ“š If you're new to SameSite, read the MDN documentation for a great overview on why this attribute helps prevent cookies from being 'leaked' to third-party domains unintentionally.


    • 0๏ธโƒฃ Set SameSite=Lax by default (#136) @elithrar
    • 0๏ธโƒฃ Don't set a default samesite for backwards compatibility (#132) @euank
  • v1.6.2 Changes

    November 21, 2019

    Notable Changes

    ๐Ÿš€ ๐Ÿ†• This release adds support for SameSite cookies (how they work), introduced in Go v1.11+, which can better scope cookies to first-party requests only (instead of just same-origin).

    ๐Ÿ‘€ See the README for an example.


  • v1.6.1 Changes

    August 26, 2019

    Notable Changes

    ๐Ÿš€ ๐Ÿ†• This release introduces the TrustedOrigins option, which allows a user to explicitly trust specific Referers. This simplifies the use of this library when the backend domain (issuing the cookie) does not match the front-end domain, such as in Single Page Application architectures.

    ๐Ÿš€ ๐Ÿž This release also fixes a regression to applying the default cookie MaxAge (cookies were only session cookies). This would typically have been unnoticed by most users as the CSRF middleware resets the cookie on each request.


  • v1.6.0 Changes

    June 26, 2019

    Notable Changes

    • ๐Ÿš€ We've removed support for versions of Go prior to v1.7 - v1.6 was released over 3.5 years ago (@kisielk making me feel old!)
    • ๐Ÿšš As a result, we've also removed gorilla/context as a dependency, since Go 1.7+ has its own http.Request.Context() implementation
    • ๐Ÿ— Moved our CI to CircleCI - you can see the build dashboard here


    ๐Ÿšš 38c9e46 Remove gorilla/context as part of pre-1.7 support (#114)
    ๐Ÿ— 3719438 (elithrar/go-mod) [build] Add CircleCI config (#112)
    ๐Ÿ“„ d162037 [docs] Improve JS header/form instructions (#103)
    โšก๏ธ 40703b8 Update and rename stale to stale.yml (#102)
    ๐Ÿ”€ 1db7df7 Merge pull request #101 from gorilla/stalebot
    ๐Ÿ“„ 472e852 [docs] Add a "Reviewed by Hound" badge (#98)
    abcfd25 (origin/stalebot) Add stalebot config
    โšก๏ธ f903b4e Update site URL
    ๐Ÿ“„ 10bfafc [docs] Note that developers should check the HTTP method (#91)
    ๐Ÿ”€ d690280 Merge pull request #88 from gorilla/elithrar/corporate-overlords

  • v1.5.1 Changes

    May 22, 2018

    ๐Ÿš€ gorilla/csrf defines a go.mod file and correctly defines a SemVer version (v1.5.1) to support versioning in upcoming releases of Go.

  • v1.5 Changes

    January 08, 2017

    ๐Ÿ‘‰ Uses the new request.Context from Go 1.7 for Go 1.7 automatically. Note that gorilla/context is incompatible with Go 1.7.

    ๐Ÿ›  6958173 [doc] Fixed readme mux path prefix (#51)
    โœ๏ธ 10e8fd1 [docs] Fix a few minor typos in examples. (#54)
    ๐Ÿ“„ fdae182 docs: fix minor typo (#50)
    ๐Ÿ“„ 7f54448 [docs] Fix incorrect function name in docs (#49)
    ๐Ÿ“„ bbe6687 [docs] Fix syntax typo (#48)
    ๐Ÿ“„ 0ff6a2c [docs] Improve commented code (#46)
    ๐Ÿ“„ a8abe8a [docs] Mentions passing csrf.Secure(false) in local dev environments.
    ๐Ÿ›  a9c30ae [bugfix] Remove dependency on gorilla/context for go1.7+ (#42)
    ๐Ÿ›  4642ecf [bugfix] Support a cookie MaxAge of 0. (#39)
    ๐Ÿ”€ 101aaa4 Merge branch 'master' of
    2a06c32 [ci] Add 1.6; skip install block; don't simplify.
    ๐Ÿšš 0bb4971 [deps] Move from errors ->
    ๐Ÿšš dd1bce8 [deps] Move from errors ->

  • v1.4 Changes

    June 02, 2016
    • ๐Ÿ“‡ With Go 1.7's net/http package growing support for context.Context as part of http.Request, gorilla/csrf now uses the context to pass CSRF tokens and other metadata alongside the request instead of gorilla/context.
    • NOTE: There is a minor breaking change with UnsafeSkipCheck - it now returns a *http.Request. Existing applications will "fail closed" (i.e. CSRF will be enforced again). Since this was a relatively new feature (less than a week old) the impact of this should be very minor.
  • v1.3 Changes

    February 24, 2016

    ๐Ÿ”’ v1.3 includes an important security fix for users of Go 1.2 (Debian <=7, Ubuntu <=14.10, etc.). This would cause token comparison to fail:!topic/gorilla-web/G3aIFrm0LVI


    • ๐Ÿ›  [bugfix] Token comparison could fail on versions of Go < 1.3.
    • โšก๏ธ [ci] Updated Travis to use matrix builds.
  • v1.2 Changes

    December 06, 2015


    • [feature] Custom field names are now passed to TemplateField implicitly.
    • ๐Ÿ— [feature] Expose an Option type for building functional options.
    • โœ… [ci] Run go vet, gofmt and the race detector during tests

    โž• ADDENDUM:

    ๐Ÿ“š Note that gorilla/csrf respects SemVer as defined at but will not make backward-incompatible changes unless a security fix requires it (which is extremely unlikely given the small API of the package!). "MINOR" versions as defined in SemVer will encapsulate additions to the API or resolving implicit behaviour, whereas "PATCH" versions will typically encapsulate documentation changes or clarifications.

  • v1.1

    October 19, 2015