Releases: adonisjs/http-server
Security fix: open redirect in response.redirect().back()
7.8.1 (2026-04-14)
Fixes an open redirect vulnerability in response.redirect().back() where a crafted Referer header could redirect users to an attacker-controlled destination. The referrer is now validated against the request's Host header and a configurable allowedHosts list; invalid or cross-host referrers fall through to a safe fallback. Backported from 8.x (8.1.3).
response.redirect().back() no longer blindly trusts the Referer header. If the referrer host does not match the request host and is not listed in redirect.allowedHosts, back() now returns the fallback (/ by default). Apps that legitimately redirect back to an external host must add it to allowedHosts.
defineConfig({
redirect: {
allowedHosts: [], // extra hosts accepted as referrers
forwardQueryString: false // default for .withQs() on redirects
}
})Features
isValidRedirectUrl(url, currentHost?, allowedHosts?)— reusable URL validator (rejects protocol-relative//evil.com, validates absolute URL hosts)getPreviousUrl(headers, allowedHosts, fallback)— helper used internallyrequest.getPreviousUrl(allowedHosts, fallback?)— exposed onHttpRequestredirect.getPreviousUrl(fallback)— exposed onRedirectredirect.back(fallback = '/')—back()now accepts a custom fallbackredirect.withQs(boolean)— overload to explicitly enable/disable query-string forwarding (useful whenforwardQueryString: trueis set as the default)
Bug Fixes
- prevent open redirect in redirect back via referrer host validation (29cdb1c)
Full Changelog: v7.8.0...v7.8.1
Add isValidRedirectUrl helper to be re-used by other packages
8.2.0 (2026-04-09)
Features
- add isValidRedirectUrl helper, ctx on Redirect, and helper tests (2008fb6)
Full Changelog: v8.1.3...v8.2.0
Secure redirect-back with host validation and new configuration options
8.1.3 (2026-04-09)
Redirect back now validates the referrer URL against the request's Host header and a configurable allowedHosts list, preventing open-redirect vulnerabilities.
Additions
getPreviousUrlhelper, available on both theHttpRequestandRedirectclasses, for resolving the previous URL in one place.RedirectextendsMacroable, so you can overridegetPreviousUrlwith your own resolution logic (for example, reading from a session)forwardQueryStringconfig option to control the default behavior.redirect.withQs(boolean)overload for per-call control over query-string forwarding
Bug Fixes
- prevent open redirect in redirect back via referrer host validation (ebba697)
Full Changelog: v8.1.2...v8.1.3
Catch malformed URIs and return 400
Fix build issue
Pass original trust proxy fn to getIp method
8.1.0 (2026-03-20)
Features
- client: add defaultOptions to createUrlBuilder (#115) (e1e008a)
- make getIp method arguments types and pass originalFn to it to piggy back on proxyaddr (725b238)
What's Changed
- feat(client): add defaultOptions to createUrlBuilder by @Julien-R44 in #115
Full Changelog: v8.0.0...v8.1.0
Contributors
Assets 2
Type-safe URL builder, platform-native Request/Response support, response serializers and much more
8.0.0 (2026-02-25)
Features
Platform-native Response support
You can now return platform-native Response objects directly via the response.send() method. This enables seamless integration with libraries that return standard Response objects, such as Vercel's AI SDK.
import { streamText } from 'ai'
async handle({ response }: HttpContext) {
const result = await streamText({
model: openai('gpt-4'),
prompt: 'Write a story'
})
return result.toUIMessageStreamResponse()
}Custom response serializers
You can now define custom serializers to control how response data is serialized before being sent to the client. This is particularly useful for:
- Adding custom serialization logic for specific data types
- Implementing organization-wide response formatting standards
- Handling special object types
Configuration:
// config/app.ts
{
http: definedConfig({
serializeJSON: (value) => {
return JSON.stringify(value)
}
})
}Other features
- add form property to url_builder return type (a67d16c)
- add url_builder client and redoc (6d815d0)
- uppercase method name when returning from the url_builder (257a264)
- add appendQueryString helper (ebfd3da)
- export query string module (6977d3b)
- format generated types properly (df3a7c8)
- auto generate route names from controller.method reference (199d1ae)
- add encoreUrl helper (257af47)
- add matchRoute and parseRoute helpers (0114df2)
- add routeInfo and middlewareInfo helpers (bb83bde)
- add serializeCookie helper (3952cfc)
- add type-safe heleprs for creating URLs from routes and patterns (d4558a5)
- create proper class for new URLBuilder and make brisk route and redirect APIs type-safe (623fd0c)
- do not render status page for non-HTML requests (f205126), closes #100
- export mime-types package via helpers (eb5d0af)
- first version of generating the URL builder client (7aa48d9)
- introduce a new type safe URLBuilder with the ability to generate types (6181a50)
- introduce config.createRequestId method and remove usage of cuid2 (4e19034)
- introduce tracing channels (44e272f)
- move tokens to route JSON output (f2cd82d)
- remove StoreRouteNode in favor of RouteJSON (c091c13)
- restructure code for client generation and create client build (7bdc4b6)
- speed up response serialization (36ef522)
- store references for all middlewares (ed3ef29)
- trace non-stream response serialization (4069c2d)
BREAKING CHANGES
Renamed Request and Response classes
Migration required: The Request and Response classes have been renamed to HttpRequest and HttpResponse to avoid conflicts with platform-native global classes.
What you need to do:
Update your imports and type annotations:
// Before
import { Request, Response } from '@adonisjs/core/http'
// After
import { HttpRequest, HttpResponse } from '@adonisjs/core/http'Why this change? Modern JavaScript runtimes expose native Request and Response classes globally, which created naming conflicts and confusion. This rename provides better clarity and prevents ambiguity between AdonisJS classes and platform-native APIs.
Other breaking changes
-
Routes with controllers are implicitly named. Therefore, you might receive an error if two routes are using the same Controller + method. To fix the issue, you must explicitly name of the routes to be different
-
The request.parsedUrl property is no longer of type UrlWithStringQuery, since
url.parse method in Node.js has been deprecated. Instead, we use a custom implementation to
decode the URI and split the query string from it. -
Router.match method now accepts an additional 3rd argument. Which is a boolean flag to tell if
it should attempt to decode unicode values in the route params. -
The exception handler will no longer consider status pages
when an API request is sent with the Accept header not accept HTML response
Bug Fixes
- Ensure x-request-id header is always set on responses (#111) 5566086, closes #111
- pending references of Response class ab5694a
- accidental removal of safeStringify (1dcbc57)
- decodeURI unicode values in the URL, including route params and query string (f0c045d), closes #105
What's Changed
- Ensure x-request-id header is always set on responses by @ThisIsMissEm in #111
- refactor(encryption): replace adonisjs module with boringnode by @RomainLanz in #113
New Contributors
- @ThisIsMissEm made their first contribution in #111
Full Changelog: v7.6.1...v8.0.0
Contributors
Assets 2
Update dependencies
8.0.0-next.19 (2026-02-06)
Update @boringnode/encryption to version 1.0.0 and allow its range.