2021-01-14

• Fixed an issue where users with Read-Write access were unable to update a policy which references an IP Group or Custom Regex.

2020-12-02

• Added support for Envoy, an open source edge and service proxy, designed for cloud-native applications. For download and installation instructions see: Installing the Envoy agent.

2020-11-23

• Added support for Rapid7's EU-Central (Europe) datacenter. Please see IPs to allow (EU).

2020-11-02

• All applications will now have the option to upgrade to App Firewall v5 via the Policies page.
• Users may now filter App Firewall Events by IP CIDR Ranges and IP Groups.

2020-16-10

• The Java, Node.js, .NET, .NET Core, Python, and Ruby agents now leverage Snyk.io vulnerability data for the Packages & Vulnerabilities feature. For more information, read about our partnership with Snyk.

2020-13-01

• The Java, Node.js, .NET, .NET Core, Python, and Ruby agents now support the Local Files feature.
• The Java, Node.js, .NET, .NET Core, Python, and Ruby agents now support the OS Commands feature.

2019-07-01

• Migrated tCell users using https://<company>.tcell.io/ to the Rapid7 Insight platform. tCell users will now access their application by logging in through https://insight.rapid7.com. All data will populate into the Rapid7 platform. Please see IPs to allow (US) to find the new list of required IPs.

2018-01-04

• New tCell apps will now have App Firewall v3 rules enabled by default.
• UI Support added to create App Firewall exclusion rules to target events with no path specifically (Null Path). This requires an up-to-date agent: Java 0.4.4+, .NET agent 0.5.1.
• Update name validation to permit non-latin character names for users. Users with punctuation in their names are still out of luck.

2017-12-21

• Users who have created still-existing API keys can now be removed. Previously, it was necessary to manually remove the API keys the user had created. (The association between users and API keys is a service-internal detail, there are no user-exposed controls or access relationships between users and API keys.)

2017-12-19

• The Account Takeover Dashboard, the User Report sub-page (accessed by clicking on a username), City was added to the location information in the bottom table, in addition to Country.
• In the Admin panel, the Users list is now sorted in order of most recent login, with the most recent first, by default.

2017-12-12

• Added support for App Firewall event exclude rules that are disabled. This enables temporary disabling of rules, or creation of rules for review before enabling them.
• Fixed filtering by method type in the App Firewall Details page.
• API support for customer API key key management.
• Several updates to API documentation.

2017-12-07

• Corrected use of capitalized strings in exclude rules for the App Firewall. The UI already tried to help users by lowercasing the entry, but when overriding the value with a capitalized string, the agent in some cases would not match the parameter.
• Fixed grouping of IP location grouping in the UI when using encrypted values for IP addresses.
• A variety of in-ui help texts were improved.

2017-12-05

• Fixed an issue that could prevent data response requests for data across a month period. (Example: in some cases an event list for a month period might not have returned any information.)

2017-11-30

• Now catch requests for time windows over 30 days long in the UI to provide clear feedback that this is not supported.
• Most UI views now refresh to show new data when left idle for a time.

2017-08-29

• Added the ability to create URL-based exclusions to AppFW
• Added input validation for the Path-based blocking feature
• Added AppID field to the downloadable CSV of packages
• CSP misconfig detection improvements
• Fixed a bug that caused Metrics from "null routes" not to show up on the Routes Dashboard
• Addressed UI issues that caused poor rendering of the active agent chart when there were a large number of agents
• Added XXE detection to CMDi detection in AppFW
• Updated documentation for REST APIs

2017-08-16

• Fixed incorrect links displayed on the Clickjacking card in the Newsfeed
• Added an API for retrieval of new vulnerability notification events
• Command Injection (OS Commands) improvement - compound commands will now be whitelisted if individual commands are whitelisted

2017-07-18

• UI - In config download, sort the application list
• UI - when listing vulnerabilities, uniformly use "-" to indicate both info not available, and no vulnerabilities
• UI - IP page would display geolocation of previously viewed IP
• UI - link from vulnerability newsfeed card goes to empty page

2017-06-27

• Added .NET installation instructions to admin view

2017-06-22

• Made improvements to WebHooks Beta - additional fields including app_id and alert-relevant fields
• Fixed a bug with some versions of FireFox not being able to log in via Google Auth
• Fixed a bug that caused whitelisted IPs to be flagged as suspicious

2017-06-20

• Data Exposure feature is now only available only on customer request
• Fixed CORS errors with JSAgent on certain Microsoft browsers

2017-06-16

• Added tCell to the default CSP whitelist
• Added a test button to WebHooks Beta

2017-06-07

• Added new feature - URL-based blocking

2017-06-01

• Limited the maximum length of a login attack to 72hrs

2017-05-17

• Added support to obtain unstripped URIs from AppFW events

2017-04-18

• Added support to add user notes to any whitelisted/blacklisted IP in policy

2017-03-30

• AppFW UI Refresh

2017-03-17

• Made it so whitelisted inline scripts no longer show up on dashboard
• General improvements to the AppFW Event Viewer