1.6.0

• Added a forced_ssl.hsts_preload flag to allow adding the preload attribute on HSTS headers

1.5.0

• Added ability to have different configs for both reported and enforced CSP rules
• Added support for ALLOW and ALLOW FROM syntaxes in the Clickjacking Protection
• Added support for HHvM and PHP 5.6
• Fixed enabling of cookie signing when the cookie list is empty

1.4.0

• Added default controller to log CSP violations
• Added a flag to remove outdated non-standard CSP headers and only send the Content-Security-Policy one

1.3.0

• Added support for setting the X-Content-Type-Options header

1.2.0

• Added Content-Security-Policy (CSP) 1.0 support
• Added forced_ssl.whitelist property to define URLs that do not need to be force-redirected
• Fixed session loss bug on 404 URLs in the CookieSessionHandler