v0.4.0

Added

• decompression: Add RequestDecompression middleware (#282)
• compression: Implement Default for CompressionBody (#323)
• compression, decompression: Support zstd (de)compression (#322)

Changed

• serve_dir: ServeDir and ServeFile's error types are now Infallible and any IO errors
  will be converted into responses. Use try_call to generate error responses manually (BREAKING) (#283)
• serve_dir: ServeDir::fallback and ServeDir::not_found_service now requires
  the fallback service to use Infallible as its error type (BREAKING) (#283)
• compression, decompression: Tweak prefered compression encodings (#325)

Removed

• Removed RequireAuthorization in favor of ValidateRequest (BREAKING) (#290)

Fixed

• serve_dir: Don't include identity in Content-Encoding header (#317)
• compression: Do compress SVGs (#321)
• serve_dir: In ServeDir, convert io::ErrorKind::NotADirectory to 404 Not Found (#331)

v0.3.5

Added

• Add NormalizePath middleware (#275)
• Add ValidateRequest middleware (#289)
• Add RequestBodyTimeout middleware (#303)

Changed

• Bump Minimum Supported Rust Version to 1.60 (#299)

Fixed

• trace: Correctly identify gRPC requests in default on_response callback (#278)
• cors: Panic if a wildcard (*) is passed to AllowOrigin::list. Use
  AllowOrigin::any() instead (#285)
• serve_dir: Call the fallback on non-uft8 request paths (#310)

v0.3.4

Added

• Add Timeout middleware (#270)
• Add RequestBodyLimit middleware (#271)

v0.3.3

Added

• serve_dir: Add ServeDir::call_fallback_on_method_not_allowed to allow calling the fallback
  for requests that aren't GET or HEAD (#264)
• request_id: Add MakeRequestUuid for generating request ids using UUIDs (#266)

Fixed

• serve_dir: Include Allow header for 405 Method Not Allowed responses (#263)

v0.3.2

Fixed

• serve_dir: Fix empty request parts being passed to ServeDir's fallback instead of the actual ones (#258)

v0.3.1

Fixed

• cors: Only send a single origin in Access-Control-Allow-Origin header when a list of
  allowed origins is configured (the previous behavior of sending a comma-separated list like for
  allowed methods and allowed headers is not allowed by any standard)

v0.3.0

Added

• fs: Add ServeDir::{fallback, not_found_service} for calling another service if
  the file cannot be found (#243)
• fs: Add SetStatus to override status codes (#248)
• ServeDir and ServeFile now respond with 405 Method Not Allowed to requests where the
  method isn't GET or HEAD (#249)
• cors: Added CorsLayer::very_permissive which is like
  CorsLayer::permissive except it (truly) allows credentials. This is made
  possible by mirroring the request's origin as well as method and headers
  back as CORS-whitelisted ones (#237)
• cors: Allow customizing the value(s) for the Vary header (#237)

Changed

• cors: Removed allow-credentials: true from CorsLayer::permissive.
  It never actually took effect in compliant browsers because it is mutually
  exclusive with the * wildcard (Any) on origins, methods and headers (#237)
• cors: Rewrote the CORS middleware. Almost all existing usage patterns
  will continue to work. (BREAKING) (#237)
• cors: The CORS middleware will now panic if you try to use Any in
  combination with .allow_credentials(true). This configuration worked
  before, but resulted in browsers ignoring the allow-credentials header,
  which defeats the purpose of setting it and can be very annoying to debug
  (#237)

Fixed

• fs: Fix content-length calculation on range requests (#228)

v0.2.5

Fixed

• Fix content-length calculation on range requests (#228)

v0.2.4

Added

• Added CatchPanic middleware which catches panics and converts them
  into 500 Internal Server responses (#214)

Fixed

• Make parsing of Accept-Encoding more robust (#220)

v0.2.3

Changed

• Update to tokio-util 0.7 (#221)

Fixed

• The CORS layer / service methods allow_headers, allow_methods, allow_origin
  and expose_headers now do nothing if given an empty Vec, instead of sending
  the respective header with an empty value (#218)