- Fixed an issue where users with Read-Write access were unable to update a policy which references an IP Group or Custom Regex.
- Added support for Envoy, an open source edge and service proxy, designed for cloud-native applications. For download and installation instructions see: Installing the Envoy agent.
- Added support for Rapid7's EU-Central (Europe) datacenter. Please see IPs to allow (EU).
Upgrading to App Firewall v5
Upgrading will require an update to the tCell agent deployed on your application. We recommend upgrading to the latest version of the agent. Or, to find the minimum required version, see the agent-specific release notes.
- The Java, Node.js, .NET, .NET Core, Python, and Ruby agents now leverage Snyk.io vulnerability data for the Packages & Vulnerabilities feature. For more information, read about our partnership with Snyk.
- The Java, Node.js, .NET, .NET Core, Python, and Ruby agents now support the Local Files feature.
- The Java, Node.js, .NET, .NET Core, Python, and Ruby agents now support the OS Commands feature.
- Migrated tCell users using https://<company>.tcell.io/ to the Rapid7 Insight platform. tCell users will now access their application by logging in through https://insight.rapid7.com. All data will populate into the Rapid7 platform. Please see IPs to allow (US) to find the new list of required IPs.
- New tCell apps will now have App Firewall v3 rules enabled by default.
- UI Support added to create App Firewall exclusion rules to target events with no path specifically (Null Path). This requires an up-to-date agent: Java 0.4.4+, .NET agent 0.5.1.
- Update name validation to permit non-latin character names for users. Users with punctuation in their names are still out of luck.
- Users who have created still-existing API keys can now be removed. Previously, it was necessary to manually remove the API keys the user had created. (The association between users and API keys is a service-internal detail, there are no user-exposed controls or access relationships between users and API keys.)
- The Account Takeover Dashboard, the User Report sub-page (accessed by clicking on a username), City was added to the location information in the bottom table, in addition to Country.
- In the Admin panel, the Users list is now sorted in order of most recent login, with the most recent first, by default.
- Added support for App Firewall event exclude rules that are disabled. This enables temporary disabling of rules, or creation of rules for review before enabling them.
- Fixed filtering by method type in the App Firewall Details page.
- API support for customer API key key management.
- Several updates to API documentation.
- Corrected use of capitalized strings in exclude rules for the App Firewall. The UI already tried to help users by lowercasing the entry, but when overriding the value with a capitalized string, the agent in some cases would not match the parameter.
- Fixed grouping of IP location grouping in the UI when using encrypted values for IP addresses.
- A variety of in-ui help texts were improved.
- Fixed an issue that could prevent data response requests for data across a month period. (Example: in some cases an event list for a month period might not have returned any information.)
- Now catch requests for time windows over 30 days long in the UI to provide clear feedback that this is not supported.
- Most UI views now refresh to show new data when left idle for a time.
- Added the ability to create URL-based exclusions to AppFW
- Added input validation for the Path-based blocking feature
- Added AppID field to the downloadable CSV of packages
- CSP misconfig detection improvements
- Fixed a bug that caused Metrics from "null routes" not to show up on the Routes Dashboard
- Addressed UI issues that caused poor rendering of the active agent chart when there were a large number of agents
- Added XXE detection to CMDi detection in AppFW
- Updated documentation for REST APIs
- Fixed incorrect links displayed on the Clickjacking card in the Newsfeed
- Added an API for retrieval of new vulnerability notification events
- Command Injection (OS Commands) improvement - compound commands will now be whitelisted if individual commands are whitelisted
- UI - In config download, sort the application list
- UI - when listing vulnerabilities, uniformly use "-" to indicate both info not available, and no vulnerabilities
- UI - IP page would display geolocation of previously viewed IP
- UI - link from vulnerability newsfeed card goes to empty page
- Added .NET installation instructions to admin view
- Made improvements to WebHooks Beta - additional fields including app_id and alert-relevant fields
- Fixed a bug with some versions of FireFox not being able to log in via Google Auth
- Fixed a bug that caused whitelisted IPs to be flagged as suspicious
- Data Exposure feature is now only available only on customer request
- Fixed CORS errors with JSAgent on certain Microsoft browsers
- Added tCell to the default CSP whitelist
- Added a test button to WebHooks Beta
- Added new feature - URL-based blocking
- Limited the maximum length of a login attack to 72hrs
- Added support to obtain unstripped URIs from AppFW events
- Added support to add user notes to any whitelisted/blacklisted IP in policy
- AppFW UI Refresh
- Made it so whitelisted inline scripts no longer show up on dashboard
- General improvements to the AppFW Event Viewer
Updated 4 days ago