What's Changed
- fix(scanner): handle INFORMATION severity in sort and filter chips by @MegaManSec in #37
- Tighten unnamed_groups: catch if-conditions, suppress implicit-redirect & return/break FPs by @MegaManSec in #39
- Add overlapping_captures plugin for CVE-2026-9256 by @MegaManSec in #38
- Style cleanup for CVE plugins + (*VERB) capture-walker fix by @MegaManSec in #43
- Lint docs and YAML strictly in CI by @MegaManSec in #47
- status_page_exposed: honor auth_request, auth_basic, and internal by @MegaManSec in #46
- return_bypasses_allow_deny: skip internally-reachable locations by @MegaManSec in #45
- stale_dns_cache: handle bracketed IPv6 addresses by @MegaManSec in #44
- fix(ssrf): also flag fastcgi/uwsgi/scgi/grpc_pass with attacker-controlled targets by @MegaManSec in #59
- fix(host_spoofing): flag $http_x_forwarded_host and $cookie_* as spoofable Host sources by @MegaManSec in #58
- fix(valid_referers): treat 'blocked' like 'none' (no proof of HTTP origin) by @MegaManSec in #57
- fix(missing_worker_processes): only count worker_processes in the main context by @MegaManSec in #56
- fix(add_header_content_type): also flag more_set_headers; compare Content-Type case-insensitively by @MegaManSec in #55
- fix(ssl_stapling_without_resolver): skip IP-literal ssl_stapling_responder (no DNS needed) by @MegaManSec in #54
- fix(low_keepalive_requests): ignore upstream-context directive and explicit 0 (disable) by @MegaManSec in #53
- fix(parser): break circular include cycles with an active-include guard by @MegaManSec in #51
- fix(core): tolerate unparseable regexes instead of crashing the audit by @MegaManSec in #52
- fix(regex_redos): inspect if/server_name/rewrite/map (keep recheck server) by @MegaManSec in #49
- chore: remove merge_slashes_on plugin by @MegaManSec in #48
- fix(origins): flag reflection of $http_origin into Access-Control-Allow-Origin by @MegaManSec in #50
- Release 0.4.0 by @MegaManSec in #60
Full Changelog: v0.3.4...v0.4.0