Release Notes

Releases

Release

Date

Notes

1.1.25

2025-04-24

1.1.24

2025-03-23

1.1.23

2025-03-30

1.1.22

2025-02-19

1.1.21

2025-01-21

1.1.20

2024-12-01

1.1.19

2024-11-10

1.1.18

2024-10-01

1.1.17

2024-09-24

1.1.16

2024-08-25

1.1.15

2024-08-01

1.1.14

2024-07-08

1.1.13

2024-07-02

1.1.12

2024-06-07

1.1.11

2024-06-03

1.1.10

2024-05-27

1.1.9

2024-04-18

1.1.8

2024-04-10

1.1.7

2024-03-11

1.1.6

2024-02-20

1.1.5

2024-02-12

1.1.4

2024-02-04

1.1.3

2023-12-28

1.1.2

2023-12-03

1.1.0

2023-09-10

1.0.1

2023-08-24

1.0.0

2023-07-25

0.9.1-rc

2023-06-02

0.9.0-rc

2023-05-06

0.8.0-rc

2023-05-02

1.2242.1-rc1

2022-10-25

initial open-source release

Limitations

We are constantly working on resolving the limitations listed here and adding enhanced functionality.

Declarative Management:

Kubernetes:

SOLVED For v1beta2: Kong Declarative configuration for open-appsec for Kong requires Ingress Resource which the open-appsec Annotation can be added to. Currently doesn't work if there are no ingress resources available and traffic is sent to Kong Gateway directly. (Workaround if there are no ingress resources: Use central management)
SOLVED For v1beta2: Only ingress resource rules that specify both keys are supported: host and path. Specifying just the path is not supported. In that case either add the host key as a temporary fix to your ingress rules if currently missing, or switch to WebUI (SaaS) management instead of local declarative management. This will be fixed soon. (Note: This does not impact the optional specific rules as defined in the open-appsec policy CRD.)
SOLVED For v1beta2: Only one exception can be added in a declarative mode in K8s

All environments:

SOLVED For v1beta2: Snort signature, API schema, and Anti Bot: defining Snort signatures and API schema is not supported yet (this is supported when using central Management via WebUI (SaaS))
SOLVED For v1beta2: Custom Response: "Redirect" action in CustomResponse CRD/config is not supported (use "block-page" or "response-code-only" options until this is available)
SOLVED For v1beta2: Custom Response: "Response code only" action is not supported for deployments intergrated with Envoy (use "block-page" until this is available) . This will be added later.
Exceptions: only the operator "=" is supported.

General:

Log Trigger Response body: In the log trigger setting "Response body" to true can affect traffic.
SELinux: open-appsec Linux servers: SELinux in “Enforced” mode is not supported. When SELinux is used in “Enforced” mode on the machine running the reverse proxy server and the agent, deployment of the agent might fail during registration. SELinux in “Enforced” mode, blocks the registration attempt.
Country-based Exception rules: When configuring exceptions in Asset edit->Exceptions Tab, an exception rule using the keys Country Name or Country Code cannot be defined with additional conditions based on other keys in the same exception.
- There’s an implicit OR logic between different exception rules, so it is possible to define different exception rules, some using country code/name, and others using other keys.
Source Ip Exception rules: When configuring exceptions in Asset edit->Exceptions Tab, an exception rule using the key Source IP cannot be defined with additional conditions based on other keys in the same exception.
- There’s an implicit OR logic between different exception rules, so it is possible to define different exception rules, some using Source IP and others using other keys.
Parameter Name / Value Exceptions rules: Drop Rules With Parameter Name and / or Parameter Value are not supported.
Country-based Exception rules: are only supported in managed tenants (Declarative / Management)
Containerized agents running version 1.1.9 or earlier cannot be upgraded directly to version 1.1.21 or newer
- As a best practice, we recommend periodically upgrading the agent container to ensure you have the latest software updates.

SaaS Management (WebUI):

Creating a second tenant using the same email address is not supported (the user can be added to another tenant with another main email address as an additional user)
WildCard asset: you can only have a single asset using wildcard resource for each HTTP as well as HTTPS (e.g.: http://* and https://* ) per tenant. This will be resolved soon.
Social log-in: Adding Google or GitHub users as additional users to a tenant is not supported (use regular users with email addresses instead)
Different Log Trigger, user response and exceptions per Practice:
Currently, this behavior is unsupported. The configuration the Web Attacks practice will apply to all other security practices.

Platform support:

Temporarily Fedora is not supported for Linux-embedded installations (consider using Docker-based deployment instead)
Ambassador support is not available yet

Previousopen-appsec Video Tutorials NextGetting Started

Last updated 1 month ago

Was this helpful?

Release Notes

Releases

Release

Date

Notes

1.1.25

2025-04-24

1.1.24

2025-03-23

1.1.23

2025-03-30

1.1.22

2025-02-19

1.1.21

2025-01-21

1.1.20

2024-12-01

1.1.19

2024-11-10

1.1.18

2024-10-01

1.1.17

2024-09-24

1.1.16

2024-08-25

1.1.15

2024-08-01

1.1.14

2024-07-08

1.1.13

2024-07-02

1.1.12

2024-06-07

1.1.11

2024-06-03

1.1.10

2024-05-27

1.1.9

2024-04-18

1.1.8

2024-04-10

1.1.7

2024-03-11

1.1.6

2024-02-20

1.1.5

2024-02-12

1.1.4

2024-02-04

1.1.3

2023-12-28

1.1.2

2023-12-03

1.1.0

2023-09-10

1.0.1

2023-08-24

1.0.0

2023-07-25

first "stable" release "latest"

0.9.1-rc

2023-06-02

0.9.0-rc

2023-05-06

0.8.0-rc

2023-05-02

1.2242.1-rc1

2022-10-25

initial open-source release

Limitations

We are constantly working on resolving the limitations listed here and adding enhanced functionality.

Let us know via the open-appsec or our Website if you identified a potential issue/limitation or via our Website as well if you have any ideas/requirements for additional features.

Declarative Management:

Kubernetes:

SOLVED For v1beta2: Kong Declarative configuration for open-appsec for Kong requires Ingress Resource which the open-appsec Annotation can be added to. Currently doesn't work if there are no ingress resources available and traffic is sent to Kong Gateway directly. (Workaround if there are no ingress resources: Use central management)
SOLVED For v1beta2: Only ingress resource rules that specify both keys are supported: host and path. Specifying just the path is not supported. In that case either add the host key as a temporary fix to your ingress rules if currently missing, or switch to WebUI (SaaS) management instead of local declarative management. This will be fixed soon. (Note: This does not impact the optional specific rules as defined in the open-appsec policy CRD.)
SOLVED For v1beta2: Only one exception can be added in a declarative mode in K8s

All environments:

SOLVED For v1beta2: Snort signature, API schema, and Anti Bot: defining Snort signatures and API schema is not supported yet (this is supported when using central Management via WebUI (SaaS))
SOLVED For v1beta2: Custom Response: "Redirect" action in CustomResponse CRD/config is not supported (use "block-page" or "response-code-only" options until this is available)
SOLVED For v1beta2: Custom Response: "Response code only" action is not supported for deployments intergrated with Envoy (use "block-page" until this is available) . This will be added later.
Exceptions: only the operator "=" is supported.

General:

Log Trigger Response body: In the log trigger setting "Response body" to true can affect traffic.
SELinux: open-appsec Linux servers: SELinux in “Enforced” mode is not supported. When SELinux is used in “Enforced” mode on the machine running the reverse proxy server and the agent, deployment of the agent might fail during registration. SELinux in “Enforced” mode, blocks the registration attempt.
Country-based Exception rules: When configuring exceptions in Asset edit->Exceptions Tab, an exception rule using the keys Country Name or Country Code cannot be defined with additional conditions based on other keys in the same exception.
- There’s an implicit OR logic between different exception rules, so it is possible to define different exception rules, some using country code/name, and others using other keys.
Source Ip Exception rules: When configuring exceptions in Asset edit->Exceptions Tab, an exception rule using the key Source IP cannot be defined with additional conditions based on other keys in the same exception.
- There’s an implicit OR logic between different exception rules, so it is possible to define different exception rules, some using Source IP and others using other keys.
Parameter Name / Value Exceptions rules: Drop Rules With Parameter Name and / or Parameter Value are not supported.
Country-based Exception rules: are only supported in managed tenants (Declarative / Management)
Containerized agents running version 1.1.9 or earlier cannot be upgraded directly to version 1.1.21 or newer
- As a best practice, we recommend periodically upgrading the agent container to ensure you have the latest software updates.

SaaS Management (WebUI):

Creating a second tenant using the same email address is not supported (the user can be added to another tenant with another main email address as an additional user)
WildCard asset: you can only have a single asset using wildcard resource for each HTTP as well as HTTPS (e.g.: http://* and https://* ) per tenant. This will be resolved soon.
Social log-in: Adding Google or GitHub users as additional users to a tenant is not supported (use regular users with email addresses instead)
Different Log Trigger, user response and exceptions per Practice:
Currently, this behavior is unsupported. The configuration the Web Attacks practice will apply to all other security practices.

Platform support:

Temporarily Fedora is not supported for Linux-embedded installations (consider using Docker-based deployment instead)
Ambassador support is not available yet

Previousopen-appsec Video Tutorials NextGetting Started

Last updated 1 month ago

Was this helpful?