bump and docs 4.0.0.alpha01

github · Jul 24, 2017 · a410f15 · a410f15
1 parent 4813308
commit a410f15
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,7 +1,6 @@
 ## 4.x
 
-- `script_src` is required to be set in CSP configs. Falling back to *any* `default-src` can be bad. It's certainly possible for this to not cause a problem but better safe than sorry.
-- The default CSP has been changed: `default-src 'self', form-action 'self'; object-src 'none'; script-src https:; style-src 'self' 'unsafe-inline' https:` This policy is "more secure" and more reasonable.
+- See the [upgrading to 4.0](upgrading-to-4.0.md) guide. Lots of breaking changes.
 
 ## 3.6.5
 

diff --git a/secure_headers.gemspec b/secure_headers.gemspec
@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 Gem::Specification.new do |gem|
   gem.name          = "secure_headers"
-  gem.version       = "4.x.x"
+  gem.version       = "4.0.0.alpha01"
   gem.authors       = ["Neil Matatall"]
   gem.email         = ["[email protected]"]
   gem.description   = "Manages application of security headers with many safe defaults."

diff --git a/upgrading-to-4-0.md b/upgrading-to-4-0.md
@@ -1,6 +1,6 @@
 ### Breaking Changes
 
-The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break.
+The most likely change to break your app is the new cookie defaults. This is the first place to check. If you're using the default CSP, your policy will change but your app should not break. This should not break brand new projects using secure_headers either.
 
 ## All cookies default to secure/httponly/SameSite=Lax