With this release, we are announcing a series of minor improvements to the platform.
Botstopper
Cookies sent by botstopper are now flagged as HttpOnly and Secure. The Secure flag is possible because we only enable botstopper on the HTTPS vhosts. These changes were needed for better compatibility across various websites on the platform. In effect, this now allows for the following:
- Secure cross-site requests are not obstructed by the botstopper
- Browsers only send
SameSite=Nonecookies when they’re alsoSecure, so the newSecureflag is what lets these through - Application cookie settings may still be a constraint here, but botstopper is out of the equation
- Browsers only send
- Sites with strict cookie consent policies now work out of the box
- With the
HttpOnlyflag set, cookie consent managers are not able to see the botstopper cookies, nor can they delete them
- With the
While we were changing the cookie flags, we also corrected the cookie name prefix. For example, the auth cookie name used to be hnbotstopper--auth, now it’s hnbotstopper-auth.
The botstopper log now contains the Weight attribute, which can be useful when diagnosing weighting behavior or configuration.
It’s now also possible to define rules matching specific country codes. See our documentation for an example.
Nginx
Some small improvements to nginx have been made as well:
- The nginx config reloader now detects when a directory symlink changes (either the direct target or the resolved target changes)
- The
geoip-databasepackage has been updated to the latest upstream Debian version - Nginx now uses the IPv6 database for geoip lookups, allowing for country lookups for both IPv4 and IPv6
- While Hypernode doesn’t make use of IPv6, it still receives increasing amounts of traffic from CDNs that do support IPv6