• [Plug.SSL] Fix cypher_suite: :strong compatibility

This release requires Elixir v1.14+ and it bumps the recommended :strong and :compatible SSL/TLS ciphers suite to align with modern security standards, prioritizing TLS 1.3 and 1.2. Support for the insecure TLS 1.0 and 1.1 protocols are removed in accordance with RFC 8996.

• [Plug.Router] Allow colon for named segments to be escaped
• [Plug.SSL] Prioritize TLS 1.3 and 1.2 ciphers
• [Plug.SSL] Allow excluding redirects based on hosts, paths, or the connection
• [Plug.Static] Add :raise_on_missing_only
• [Plug.Upload] Partition the uploader to improve performance
• [Plug.Upload] Add API for deleting files

• [Plug.Conn.Adapter] Deprecate :owner field

• [Plug.Debugger] Do not include code snippets in rendered markdown
• [Plug.RewriteOn] Add support to rewrite nonstandard headers

• [Plug.Conn] Define optional get_sock_data/1 and get_ssl_data/1 callbacks
• [Plug.RequestID] Allow metadata key to be customizable
• [Plug.Router] Allow match to dispatch to function plugs

• [Plug.Debugger] Add dark mode and other UI improvements
• [Plug.Debugger] Link Module.function/arity to hexdocs in exception messages
• [Plug.Debugger] Support __RELATIVEFILE__ to PLUG_EDITOR replacements
• [Plug.SSL] Add SSL validation support for certs_keys

• [Plug.Conn.Adapter] Make push an optional callback as it is no longer supported by browsers
• [Plug.Conn] Deprecate req_cookies, cookies, and resp_cookies fields in favor of functions
• [Plug.Conn] Deprecate owner field. Tracking responses is now part of adapters
• [Plug.Test] Deprecate use Plug.Test in favor of imports

• Avoid XSS injection in the debug error page

• Optimize cookie parsing by 10x (10x faster, 10x less memory) on Erlang/OTP 26+

• Support x-forwarded-for in Plug.RewriteOn
• Support MFArgs in Plug.RewriteOn
• Add immutable directive to versioned requests in Plug.Static
• Support disabling MIME type handling in Plug.Static

• Fix bug with discarded connection state in Plug.Debugger
• Parse media types with underscores in them
• Do not crash on max_age set to nil (for consistency)

• Allow setting the port on the connection in tests
• Allow returning {:ok, payload} on inform
• Allow custom exceptions in validate_utf8 option
• Allow skipping sent body on chunked replies

• Add :assign_as option to Plug.RequestId
• Improve performance of Plug.RequestId
• Avoid clashes between Plug nodes
• Add specs to Plug.BasicAuth
• Fix a bug with non-string _method body parameters in Plug.MethodOverride

• Relax requirement on plug_crypto

• Add Plug.Conn.get_session/3 for default value
• Allow Plug.SSL.configure/1 to accept all :ssl options
• Optimize query decoding by 15% to 45% - this removes the previously deprecated :limit MFA and :include_unnamed_parts_at from MULTIPART. This may be backwards incompatible for applications that were relying on ambiguous arguments, such as user[][key]=1&user[][key]=2, which has unspecified parsing behaviour

• Properly deprecate Plug.Adapters.Cowboy before removal

• Add nest_all_json option to JSON parser
• Make action on Plug.Debugger page look like a button
• Better formatting of exceptions on the error page
• Provide stronger response header validation

Require Elixir v1.10+.

• Add Plug.Conn.prepend_req_headers/2 and Plug.Conn.merge_req_headers/2
• Support adapter upgrades with Plug.Conn.upgrade_adapter/3
• Add "Copy to Markdown" button in exception page
• Support exclusive use of tlsv1.3

• Make sure last parameter works within maps

• Deprecate server pushes as they are no longer supported by browsers

• Fix compile-time dependencies in Plug.Builder

• Support :via in Plug.Router.forward/2

• Fix compile-time deps in Plug.Builder
• Do not require routes to be compile-time binaries in Plug.Router.forward/2

• Improve deprecation warnings

• [Plug.Builder] Introduce :copy_opts_to_assign instead of builder_opts/0
• [Plug.Router] Do not introduce compile-time dependencies in Plug.Router

• [Plug.Router] Properly fix regression on Plug.Router helper function accidentally renamed

• [Plug.Router] Fix regression on Plug.Router helper function accidentally renamed

• [Plug.Builder] Do not add compile-time deps to literal options in function plugs
• [Plug.Parsers.MULTIPART] Allow custom conversion of multipart to parameters
• [Plug.Router] Allow suffix matches in the router (such as /feeds/:name.atom)
• [Plug.Session] Allow a list of :rotating_options for rotating session cookies
• [Plug.Static] Allow a list of :encodings to be given for handling static assets
• [Plug.Test] Raise an error when providing path not starting with "/"

• [Plug.Upload] Normalize paths coming from environment variables

• [Plug.Router] Mixing prefix matches with globs is deprecated
• [Plug.Parsers.MULTIPART] Deprecate :include_unnamed_parts_at

• [Plug] Make sure module plugs are compile time dependencies if init mode is compile-time

• [Plug] Accept mime v2.0
• [Plug] Accept telemetry v1.0
• [Plug.Conn] Improve performance of UTF-8 validation
• [Plug.Conn.Adapter] Add API for creating a connection
• [Plug.Static] Allow MFA in :from

• [Plug.Upload] Allow transfer of ownership in Plug.Upload

• [Plug.Debugger] Drop CSP Header when showing error via Plug.Debugger
• [Plug.Test] Populate query_params from Plug.Test.conn/3

• [Plug.RewriteOn] Add a new public to handle x-forwarded headers
• [Plug.Router] Add macro for head requests

• [Plug.CSRFProtection] Do not crash if request body params are not available
• [Plug.Conn.Query] Conform www-url-encoded parsing to whatwg spec

• [Plug.Parsers.MULTIPART] Deprecate passing MFA to MULTIPART in favor of a more composable approach

• [Plug.Conn] Automatically set secure when deleting cookies to fix compatibility with SameSite

• [Plug.SSL] Allow host exclusion to be checked dynamically

• [Plug.Router] Fix router telemetry event to follow Telemetry specification. This corrects the telemetry event added on v1.10.1.

• [Plug] Make :telemetry a required dependency
• [Plug.Test] Populate :query_string when params are passed in

• [Plug] Add Plug.run/3 for running multiple Plugs at runtime
• [Plug] Add Plug.forward/4 for forwarding between Plugs

• [Plug.Conn] Add option to disable uft-8 validation on query strings
• [Plug.Conn] Support :same_site option when writing cookies
• [Plug.Router] Add router dispatch telemetry events
• [Plug.SSL] Support :x_forwarded_host and :x_forwarded_port on :rewrite_on

• [Plug.Test] Ensure parameters are converted to string keys

• [Plug.BasicAuth] Add Plug.BasicAuth
• [Plug.Conn] Add built-in support for signed and encrypted cookies
• [Plug.Exception] Allow to use atoms as statuses in the plug_status field for exceptions

• [Plug.Router] Handle malformed URI as bad requests

• [Plug.Conn.Cookies] Make decode split on ; only, remove $-prefix condition
• [Plug.CSRFProtection] Generate url safe CSRF masks
• [Plug.Parsers] Treat invalid content-types as parsing errors unless :pass is given
• [Plug.Parsers] Ensure parameters are merged when falling back to :pass clause
• [Plug.Parsers] Use HTTP status code 414 when query string is too long
• [Plug.SSL] Rewrite port when rewriting a request coming to a standard port

• [Plug] Make Plug fully compatible with new Elixir child specs
• [Plug.Exception] Add actions to exceptions that implement Plug.Exception and render actions in Plug.Debugger error page
• [Plug.Parsers] Add option to skip utf8 validation
• [Plug.Parsers] Make multipart support MFA for :length limit
• [Plug.Static] Accept MFA for :header option

• When implementing the Plug.Exception protocol, if the new actions function is not implemented, a warning will printed during compilation.

• [Plug.Builder] Ensure init_mode option is respected within the Plug.Builder DSL itself
• [Plug.Session] Fix dropping session with custom max_age

• [Plug.CSRFProtection] Increase entropy and ensure forwards compatibility with future URL-safe CSRF tokens

• [Plug.CSRFProtection] Allow state to be dumped from the session and provide an API to validate both state and tokens
• [Plug.Session.Store] Add get/1 to retrieve the store from a module/atom
• [Plug.Static] Support Nginx range requests
• [Plug.Telemetry] Allow extra options in Plug.Telemetry metadata

• [Plug.Conn] Add get_session/1 for retrieving the whole session
• [Plug.CSRFProtection] Add Plug.CSRFProtection.load_state/2 and Plug.CSRFProtection.dump_state/0 to allow tokens to be generated in other processes
• [Plug.Parsers] Allow unnamed parts in multipart parser via :include_unnamed_parts_at
• [Plug.Router] Wrap router dispatch in a connection checkpoint to avoid losing information attached to the connection in error cases
• [Plug.Telemetry] Add Plug.Telemetry to facilitate with telemetry integration

• [Plug.Conn.Status] Use IANA registered status code for HTTP 425
• [Plug.RequestID] Reduce RequestID size by relying on base64 encoding
• [Plug.Static] Ensure etags are quoted correctly
• [Plug.Static] Ensure vary header is set in 304 response
• [Plug.Static] Omit content-encoding header in 304 responses

• [Plug.Parser.MULTIPART] Support UTF-8 filename encoding in multipart parser
• [Plug.Router] Add builder_opts support to :dispatch plug
• [Plug.SSL] Do not disable client renegotiation
• [Plug.Upload] Raise when we can't write to disk during upload

• [Plug.Adapters.Cowboy] Less verbose output when plug_cowboy is missing
• [Plug.Adapters.Cowboy2] Less verbose output when plug_cowboy is missing

• [Plug] Require Elixir v1.4+
• [Plug.Session] Support MFAs for cookie session secrets
• [Plug.Test] Add put_peer_data
• [Plug.Adapters.Cowboy] Extract into plug_cowboy
• [Plug.Adapters.Cowboy2] Extract into plug_cowboy

• [Plug.SSL] Don't redirect excluded hosts on Plug.SSL

• [Plug] Applications may need to add :plug_cowboy to your deps to use this version

See CHANGELOG in the v1.6 branch.