Skip to content

What's New in Nullafi Shield v3.8.0

v3.8.0Released: April 22, 2026  ·  Container image: public.ecr.aws/nullafi/shield:v3.8.0

Deprecation Notice

Several HTTPS/ACME environment variable names have been updated for consistency and clarity. The legacy variable names (NULLAFI_HTTPS_ENABLE_ACME and NULLAFI_HTTPS_CERT_DIR) are still accepted in this release but will emit a deprecation warning in logs. Please migrate to the new variable names before the next major release. See the Deployment Options section for the full mapping.

Overview

  • 2

    New Features

  • 8

    Improvements

  • 2

    Bug Fixes

  • 2

    Security Fixes

Version 3.8.0 is centered on a major overhaul of the ICAP protocol implementation — bringing full RFC 3507 compliance, more reliable connection handling, and a stronger foundation for future capabilities. The release also delivers targeted security patches and a smarter default data-type detection profile.

New Features

Theme: Protocol Refactoring & Policy Expansion — Available to all editions.

  • Optimized Default Data Type Detection Profile

    Shield now ships with a focused default detection profile. Ten high-value data types — including Credit Card numbers, Email addresses, SSN, IBAN, IP addresses, and SWIFT codes — are enabled out of the box. Less commonly needed types are disabled by default to reduce noise and improve performance; all remain available and can be enabled in your policy configuration.

    Policy Deployment

  • Configurable Activity Log Buffer Size

    A new environment variable allows administrators to tune the activity log ring buffer size to better match their deployment scale and logging requirements.

    Deployment

Policy

Compliance requirements, data governance changes, and policy updates that take effect with this release.

Policy & Compliance

Optimized Default Detection Profile Fresh deployments now detect a curated set of high-priority data types by default. Organizations with existing deployments should review their active detection configuration after upgrade to ensure alignment with their data governance requirements. All previously available data types remain accessible.

Policy documentation

Deployment

Infrastructure requirements, environment changes, and steps needed to deploy this release safely.

Deployment & Infrastructure

ACME Certificate Configuration — Variable Rename Two HTTPS/ACME environment variables have been renamed for clarity and consistency. The legacy names are still accepted in this release and will generate a deprecation warning in logs. Update your configuration at your earliest convenience — support for legacy names will be removed in a future major release. Both NULLAFI_HTTPS_ACME_SERVER_URL and NULLAFI_HTTPS_ACME_DNS01_PROVIDER are still in use and remain unchanged.

Old Variable (deprecated) New Variable Notes
NULLAFI_HTTPS_ENABLE_ACME NULLAFI_HTTPS_ACME_CHALLENGE No longer just 'enable' and 'disable' Now controls the challenge type as well
NULLAFI_HTTPS_CERT_DIR NULLAFI_HTTPS_ACME_CERT_DIR Just renaming to make clear that it is related to ACME certificates

Activity Log Buffer Size A new environment variable has been introduced to control the activity log ring buffer size. No action is required; the existing default behavior is preserved unless the variable is explicitly set.

Deployment guide

Improvements & Bug Fixes

Full list of resolved issues and quality improvements in this release.

Type Description ID
Improvement Full ICAP engine and server refactoring for improved RFC 3507 compliance, maintainability, and operational predictability. NS-594, NS-595
Improvement The server now returns meaningful HTTP status codes instead of silently closing connections: 408 for timeouts, 503 when the queue is full, and 501 for unsupported methods — making integration issues significantly easier to diagnose. NS-593
Improvement ICAP protocol version is now validated on incoming requests; a warning is logged when a non-standard version is detected, surfacing misconfigured clients early. NS-592
Improvement Shield now correctly validates the Allow: 204 capability header before sending a 204 No Content response, ensuring full compliance with RFC 3507 Section 4.6. NS-591
Improvement End-of-file detection in chunked ICAP transfers has been rewritten, reducing processing errors with edge-case clients. NS-590
Improvement All ICAP responses now include the mandatory ISTag header as required by RFC 3507 Section 4.4.4, improving compatibility with strict ICAP clients and proxies. NS-587
Improvement The mandatory Host header is now properly validated on incoming ICAP requests per RFC 3507 Section 4.3.1, with non-conformant requests rejected with a clear error response. NS-589
Improvement OPTIONS responses now include the Encapsulated header as required by RFC 3507 Section 4.10.2, ensuring compatibility with standards-compliant ICAP clients. NS-588
Improvement Cross-provider directory group matching for user policies is now supported. Groups from different identity providers can be matched freely, removing friction for organizations with complex identity configurations. NS-582
Fix Resolved an upgrade regression where the legacy NULLAFI_HTTPS_CERT_DIR variable was silently ignored, causing Shield to default to an incorrect certificate path. The legacy value is now honored with a deprecation warning. NS-579
Fix Corrected misleading wording in the unsaved-changes confirmation dialog in the Activity tab. NS-580
Security Remediated a critical authorization bypass vulnerability (CVE-2026-33186, CVSS 9.1) in a core dependency. Specially crafted requests could previously bypass path-based access controls. No customer action is required; the fix is included automatically with this upgrade. NS-597
Security All outstanding critical and high-severity dependency vulnerabilities in the frontend have been reviewed and resolved, including a known vulnerability in server-side rendering components. NS-596, NS-575

Upgrade Instructions

Follow these steps before upgrading in production. Estimated time: 15 minutes.

  1. Back up your database and configuration files Take a full snapshot of your database and export your current configuration — including your .env and any custom policy files. Store backups off-instance before proceeding.

  2. Review environment variable changes If your deployment uses NULLAFI_HTTPS_ENABLE_ACME or NULLAFI_HTTPS_CERT_DIR, plan to migrate to the new variable names (NULLAFI_HTTPS_ACME_CHALLENGE and NULLAFI_HTTPS_ACME_CERT_DIR respectively). Both legacy names remain functional in this release and will produce deprecation warnings in logs.

  3. Review the updated default detection profile If you are performing a fresh installation, note that only the ten default data types will be active out of the box. If you are upgrading an existing deployment, your current detection configuration is preserved and no immediate action is required.

  4. Pull and deploy the updated container image

    docker pull public.ecr.aws/nullafi/shield:v3.8.1
    Configure your container runtime scripts or commands to use the new image. (If using Nullafi's sample Docker Compose files, modify the .env file so that SHIELD_IMAGE points to the new image.) Restart the Shield service after pulling the updated image.

nullafi.com  ·  docs.nullafi.com  ·  support@nullafi.com  ·  Previous releases