This release brings serious firepower to server-side HTTP handling. The headline is a brand-new SSRF defense kit – IPAddress and UrlValidator let you validate URLs and pin connections before your app ever talks to an attacker-controlled host. On top of that, cookie handling gets a modern overhaul with a type-safe SameSite enum, CHIPS/Partitioned support, and a proper Max-Age attribute, while the new Request::isFrom() gives you reliable same-site request detection – even on Safari. Now on PHP 8.3.

Changes

• PHP 8.3 is now required. Time to upgrade your runtime if you haven't already.
• UserStorage is gone – the long-deprecated class has been removed. Use the standard authentication storage instead.
• Request::getRemoteHost() is deprecated and now returns null – reverse DNS lookups were slow, unreliable, and a privacy footgun. Resolve the hostname yourself from getRemoteAddress() if you really need it (#218).

Deprecations (still working, but plan ahead)

• The IResponse::SameSite* constants are deprecated in favor of the new SameSite enum.
• Request::isSameSite() is deprecated – use isFrom() instead.
• Passing integer 0 as the expiration to Response::setCookie() is deprecated – use null for a session cookie.

✨ New Features

• SSRF protection, batteries included – the new IPAddress is an immutable IPv4/IPv6 value object with rich predicates (isPublic(), isPrivate(), isLoopback(), isLinkLocal(), isMulticast(), isReserved()), CIDR matching via isInRange(), and IPv4-mapped IPv6 normalization. Pair it with UrlValidator, a configurable guard that vets scheme, port, host allow/blocklists, userinfo, and – optionally with DNS – the resolved IP ranges. It even hands back the resolved IPs so you can pin the connection through CURLOPT_RESOLVE and defeat DNS-rebinding.
• Request::isFrom() – a single, reliable way to check where a request came from, with site, dest, and user parameters built on the Sec-Fetch-* headers. For browsers without Sec-Fetch support (Safari < 16.4), it transparently falls back to a strict cookie, so same-site detection just works everywhere.
• Type-safe SameSite enum – setCookie() and Session now accept a proper enum instead of magic strings, so typos become compile-time problems, not silent security holes.
• Response::setCookie() speaks modern cookie – it now supports the Partitioned attribute (CHIPS) for third-party cookies, emits a Max-Age attribute (which takes precedence over expires and ignores the client clock), and forces Secure automatically when SameSite=None, sparing you a browser rejection.
• Helpers::expirationToSeconds() – one consistent parser for every expiration value across the library. Numbers are relative seconds, while DateTimeInterface and textual strings like '20 minutes' or '2024-01-01' resolve as absolute times; each caller decides what null means in its own context.
• Helpers::parseQualityList() – parses HTTP quality-value lists (Accept, Accept-Language, …) into a ranked token map. Request::detectLanguage() was rewritten on top of it and is more correct as a result.

• RequestFactory::setForceHttps() – force the request scheme to HTTPS regardless of the server environment, handy behind proxies and load balancers that don't advertise TLS termination. Also exposed via the DI config option http: forceHttps: true.
• Request::getOrigin() now strictly follows RFC 6454 – returns null for any Origin header that isn't a bare scheme://host[:port] (e.g. headers containing a path are rejected instead of being silently accepted).
• Improved phpDoc types and descriptions across the whole Nette\Http namespace – better IDE autocompletion and PHPStan inference for Request, Response, Session, Url and friends.

• support for PHP 8.5
• optimized global function calls
• Url, UrlImmutable: user & password are deprecated

• UrlImmutable, UrlScript: added resolve()
• Url: added isAbsolute() & removeDotSegments()
• UrlImmutable, UrlScript: removed build() method
• Url::canonicalize() char " does not need to be encoded
• Url, UrlImmutable: user & password are deprecated
• FileUpload::__construct() accepts path
• SessionPanel: convert templates to Latte-like syntax

• support for PHP 8.4
• FileUpload::getSanitizedName() changes the extension only for image files #239
• RequestFactory: extract port from x-forwarded-host (#230)
• FileUpload: Initialize properties (#235)(#195)
• Session: keep exceptions chain on session_start (#240)
• Session: SessionSection class template annotation #225
• IResponse: added DateTimeInterface to setCookie $expire param (#237)
• readonly properties

• requires PHP 8.1
• uses PHP 8.1 features

• FileUpload: added getSuggestedExtension()
• RequestFactory: unify and fix host parsing (#229)

• support for PHP 8.3
• FileUpload: detects supported images
• RequestFactory: fixed port detection when HTTP_HOST & SERVER_PORT are used #223
• removed fix for IE

• SessionExtension: don't set readAndClose if null (#213)
• Improved https recognition behind load balancer (#221)
• RequestFactory: fix X-Forwarded-Host mixup with remote host (#222)
• RequestFactory: performance optimization #220
• RequestFactory: fixed filter detection
• Url: host can end with dot #198
• added Session::getSectionNames(), replacement for getIterator()

• SessionExtension: don't set readAndClose if null (#213)
• Improved https recognition behind load balancer (#221)
• RequestFactory: fix X-Forwarded-Host mixup with remote host (#222)
• RequestFactory: performance optimization
• RequestFactory: fixed filter detection
• Url: host can end with dot #198