1.8.3 / 2015-06-10
==================

  * deps: cookie@0.1.3
    - Slight optimizations

1.8.2 / 2015-05-09
==================

  * deps: csrf@~3.0.0
    - deps: uid-safe@~2.0.0

1.8.1 / 2015-05-03
==================

  * deps: csrf@~2.0.7
    - Fix compatibility with `crypto.DEFAULT_ENCODING` global changes

1.8.0 / 2015-04-07
==================

  * Add `sessionKey` option

1.7.0 / 2015-02-15
==================

  * Accept `CSRF-Token` and `XSRF-Token` request headers
  * Default `cookie.path` to `'/'`, if using cookies
  * deps: cookie-signature@1.0.6
  * deps: csrf@~2.0.6
    - deps: base64-url@1.2.1
    - deps: uid-safe@~1.1.0
  * deps: http-errors@~1.3.1
   - Construct errors using defined constructors from `createError`
   - Fix error names that are not identifiers
   - Set a meaningful `name` property on constructed errors

1.6.6 / 2015-01-31
==================

  * deps: csrf@~2.0.5
    - deps: base64-url@1.2.0
    - deps: uid-safe@~1.0.3

1.6.5 / 2015-01-08
==================

  * deps: csrf@~2.0.4
    - deps: uid-safe@~1.0.2

1.6.4 / 2014-12-30
==================

  * deps: csrf@~2.0.3
    - Slight speed improvement for `verify`
    - deps: base64-url@1.1.0
    - deps: rndm@~1.1.0
  * deps: http-errors@~1.2.8
   - Fix stack trace from exported function

1.6.3 / 2014-11-09
==================

  * deps: csrf@~2.0.2
    - deps: scmp@1.0.0
  * deps: http-errors@~1.2.7
   - Remove duplicate line

1.6.2 / 2014-10-14
==================

  * Fix cookie name when using `cookie: true`
  * deps: http-errors@~1.2.6
    - Fix `expose` to be `true` for `ClientError` constructor
    - Use `inherits` instead of `util`
    - deps: statuses@1

1.6.1 / 2014-09-05
==================

  * deps: cookie-signature@1.0.5

1.6.0 / 2014-09-03
==================

  * Set `code` property on CSRF token errors

1.5.0 / 2014-08-24
==================

  * Add `ignoreMethods` option

1.4.1 / 2014-08-22
==================

  * Use `csrf-tokens` instead of `csrf`
 
1.4.0 / 2014-07-30
==================

  * Support changing `req.session` after `csurf` middleware
    - Calling `res.csrfToken()` after `req.session.destroy()` will now work

1.3.0 / 2014-07-03
==================

  * Add support for environments without `res.cookie` (connect@3)

1.2.2 / 2014-06-18
==================

  * deps: csrf-tokens@~2.0.0

1.2.1 / 2014-06-09
==================

  * Refactor to use `csrf-tokens` module

1.2.0 / 2014-05-13
==================

  * Add support for double-submit cookie

1.1.0 / 2014-04-06
==================

  * Add constant-time string compare