v5.16.0

• (fix) rendered fingerprint progress as a rotating single-line indicator and persisted only the final done state to reduce duplicate progress output.
• (fix) proxy and transport-loss handling: proxy scans now validate the proxy without directly probing the target, filtered proxy timeouts remain visible, and direct scans abort cleanly after repeated exhausted transport failures when a target goes offline mid-scan.
• (fix) made auto-calibrated rotating progress cross-platform by truncating suppressed-response lines to terminal width and clearing them before real findings.
• (fix) diversified auto-calibration probe URL shapes so sites that return different soft-404/catch-all responses for root-level, application-like and static asset paths are calibrated more reliably.
• (fix) made HTML report status tabs work as anchor-backed navigation with JavaScript filtering as progressive enhancement, improving large report responsiveness and browser compatibility.
• (fix) handled ResponseError: Unknown response status : 523 so scans no longer abort on unexpected HTTP status codes.
• (fix) graceful handling for unavailable standalone SOCKS/HTTP proxies.
• (fix) authenticated HTTP proxy support for HTTPS CONNECT requests and masked proxy credentials in debug, warning, and error output.
• (fix) cleaned WAF/header-bypass diagnostics: cookie accept debug now logs once, watchdog tracks long-running probe heartbeats, and piped logs no longer include ANSI clear-line sequences.
• (fix) extension filters: --extensions and --ignore-extensions are now mutually exclusive, extension matching handles query strings/fragments, matching is case-insensitive, and documentation now describes --extensions as a filter rather than generation.
• (fix) wizard regex filters so comma-containing patterns are preserved safely.
• (fix) reduced report noise by keeping filtered responses out of user-facing reports while preserving them in raw JSON/session data.
• (fix) response-filter overrides for resumed sessions and precompiled regex filters for faster runtime checks.
• (fix) proxy rotation console output so debug and warning messages no longer corrupt fingerprint, calibration, and scan progress lines.
• (fix) reused initialized proxy request providers across pre-scan and scan phases to avoid redundant proxy-list initialization.
• (fix) preserved direct scan provider refresh when scan targets are rewritten by runtime options.
• (fix) reduced auto-calibration console noise by suppressing per-probe response output while keeping the calibration summary.
• (fix) noisy debug output in --proxy-pool mode by logging proxy selection only when a new proxy pool is created.
• (feature) added --waf-guard with configurable --waf-guard-after and --waf-guard-threshold to stop scans early when initial classified responses are overwhelmingly WAF-blocked.
• (feature) added --diff to compare exactly two previous/current OpenDoor SQLite or JSON reports and show added, removed and changed findings without running a new scan.
• (feature) added --sniff malware to passively classify suspicious malware, webshell, injected script and obfuscated payload indicators into the malware bucket with structured metadata across runtime output and reports.
• (feature) added --sniff shadow active Shadow Copy Detection to probe confirmed 200 OK file-like hits for exposed backup/suffix copies such as .bak, .old, and similar variants.
• (feature) added --sniff secret to classify successful textual responses with possible leaked API keys, tokens, private keys, JWTs and credential URLs into the secret bucket.
• (feature) added --sniff openredirect for verified open redirect detection: OpenDoor now performs bounded active checks on discovered redirect-like query parameters, reports findings in the openredirect bucket, and preserves evidence across text, JSON, CSV, HTML, SQLite, and SARIF reports.
• (feature) added opt-in --tls-legacy mode for weak-DH HTTPS targets and improved TLS handshake diagnostics with DH_KEY_TOO_SMALL guidance.
• (enhancement) scan runtime temp handling by moving generated wordlist artifacts into per-scan managed workspaces with cross-platform cleanup on normal exit, errors, and abort signals.
• (enhancement) added socks5h:// proxy URL support for standalone proxy and proxy-list flows without changing existing proxy debug output.
• (enhancement) improved --update as a safe cross-platform helper: it no longer depends on scanner data assets, does not execute package-manager commands, and now prints update instructions for pipx, pip, Homebrew, Docker, Linux packages, Windows, and source checkout installs.
• (enhancement) hardened response filter handling across CLI, wizard configuration, and session resume flows.
• (enhancement) hardened proxy routing: --proxy, --proxy-list, and --proxy-pool are now mutually exclusive, rotating proxies skip dead entries during the current scan runtime, authenticated proxy-list entries support HTTPS CONNECT, and selected rotating proxies are shown in debug with credentials masked.
• (enhancement) refactored the internal sniffer architecture to support independent multi-finding detection, additive security findings, suppressor separation and shared active-sniffer orchestration while preserving existing --sniff CLI aliases and report buckets.
• (enhancement) improved controlled 403 header-bypass probing with additional safe path-normalization variants, including encoded-dot, semicolon-prefix, dot-semicolon-prefix, double-slash semicolon, and dot-dot semicolon suffix checks for arbitrary protected paths discovered during scans.
• (enhancement) hardened Stacktrace sniffer detection to avoid false positives from normal HTML/CSS source code such as .*-warning, .*-error, and similar style/class names.
• (enhancement) hardened WordPress fingerprinting by adding static asset probes and preventing weak login/xmlrpc-only evidence from becoming a primary CMS match
• (enhancement) preserves redacted Secret Sniffer metadata in standard, text, CSV, JSON, HTML, SQLite and SARIF reports without storing raw secret values.
• (enhancement) added Mobirise site-builder detection to --fingerprint using generator, asset and markup signals common to Mobirise landing pages.
• (enhancement) added QRATOR / Qrator Labs infrastructure detection to --fingerprint.
• (dependencies) removed unused six and replaced tabulate in the STD summary reporter with a native psql-like table formatter.
• (ux) reduced stdout Summary noise by hiding low-value diagnostic counters and detailed fingerprint/HSTS/privacy internals while preserving them in structured reports.
• (ux) improved connection preflight diagnostics for localhost/proxy transport checks.
• (dictionary) bundled data/shadow-suffixes.dat in source and wheel distributions so PyPI, Homebrew-style source builds and local installs include the built-in shadow suffix catalog by default.
• (dictionary) cleaned and normalized internal directories list (+2133 potencial interesting paths).
• (build) added staged Ruff quality gates and advisory Vulture dead-code checks, with updated contributor rules and cleanup documentation.

v5.15.3

• (critical) prevented silent partial scans when randomized runtime wordlists are truncated by validating shuffled list size and warning on early EOF before report generation
• (critical) restored runtime Ctrl+C pause/resume so the first interrupt opens the continue/exit menu during active worker joins instead of immediately canceling the scan.
• (fix) hardened STD reporter summary generation for partial or malformed report payloads
• (fix) detect Bitrix from CMS header and harden Strapi fingerprinting
• (fix) tuned runtime fingerprint scoring so endpoint-only framework probes no longer imply Node.js/Python runtime
• (fix) added conservative PHP route-marker runtime evidence for legacy PHP sites without exposed X-Powered-By headers
• (fix) broken random-list shuffle and JS challenge detection
• (fix) --accept-cookies routing so accepted cookies are preserved across scan requests and header-bypass variants.
• (fix) gated passive WAF/gateway headers in both vendor-specific matching and generic fallback so normal 200 responses are not promoted to blocked
• (fix) isolated default fingerprint fallback results with deep copies to prevent nested metadata leakage between failed or empty detection runs
• (fix) added vendor-specific and generic-fallback gating for passive gateway/server markers to avoid classifying normal 200 responses as blocked WAF pages
• (fix) --debug 0 being incorrectly treated as debug level 1.
• (fix) file response sniffer false positives for large textual web/API responses. Large text/html, text/*, JSON, XML, XHTML and SVG responses are no longer classified as files only because their body or Content-Length exceeds the large-response threshold.
• (fix) hardened --transport / --transport-profile flow with startup validation, proxy-mode safeguards and transport healthcheck execution
• (fix) added cross-platform VPN executable resolution via --transport-bin, common OpenVPN/WireGuard backend lookup paths and actionable OS-specific diagnostics when VPN backends are missing
• (fix) hardened --sniff indexof directory-listing detection to avoid title-only false positives while preserving Apache, nginx, IIS and generic autoindex layouts
• (fix) validated --retries / wizard retries as a non-negative integer and normalized runtime retry values before passing them to urllib3
• (fix) restored interactive HTML report controls by making visible URL copy, text search and status-group navigation use stable row metadata and explicit UI feedback
• (fix) deduplicate duplicate subdomain scan candidates before they are submitted to the HTTP worker queue.
• (fix) keep subdomain scan progress totals aligned when duplicate candidates are dropped.
• (fix) Cache rendered subdomain IP lookups per hostname to avoid repeated DNS resolution in subdomain reports.
• (enhancement) added passive privacy-risk detection to --fingerprint for possible supercookie tracking surfaces.
• (enhancement) added supercookie/privacy-risk metadata to std, txt, csv, json, html, sqlite, and sarif reports.
• (enhancement) added --header-bypass-profile safe|offensive with offensive header spoofing and expanded path-normalization variants for controlled 401/403 bypass probing.
• (enhancement) expanded header-bypass evidence with profile, status transition, score and reason metadata across detailed reports.
• (enhancement) added --sniff stacktrace to detect exposed stack traces and debug error details across Python, Node.js, PHP, NestJS, Java, SQL, and Oracle responses.
• (enhancement) expanded passive WAF recognition with block-response signatures for DDoS-GUARD, Tencent Cloud WAF, Google Cloud Armor, SafeLine, Vercel WAF, Wallarm and Wordfence, complementing existing infrastructure fingerprinting where applicable.
• (enhancement) detect common HTTP Server header engines as fingerprint infrastructure, including Nginx, Apache HTTP Server, Microsoft IIS, Caddy, LiteSpeed, lighttpd, Tornado, Gunicorn, Uvicorn, Hypercorn, Waitress, Apache Tomcat, Eclipse Jetty, Envoy and Traefik
• (enhancement) Added clear response-level diagnostics for --debug 3.
• (enhancement) prettify HTML reports make it more intelligible for UX
• (enhancement) expanded passive WAF recognition with additional vendor signatures sourced from public WAF fingerprint catalogs
• (enhancement) expanded passive WAF recognition with DDoS-GUARD, Google Cloud Armor, SafeLine, Tencent Cloud WAF, Vercel WAF, Wallarm and Wordfence signatures while keeping passive edge headers gated behind block-like statuses
• (enhancement) added 360 WAF, Airlock, Aliyun WAF, Anquanbao, BinarySec, CityHost, BitNinja, Bluedon WAF, ChinaCache, Comodo WAF, DoSArrest, DotDefender, GoDaddy Website Firewall, GreyWizard, IBM DataPower, Imunify360, Instart DX, NAXSI, NinjaFirewall, Profense and WebKnight detection
• (enhancement) deduplicated WAF evidence signals before report propagation
• (enhancement) updated internal wordlists
• (deprecated) made scheme the source of truth for HTTP/HTTPS mode and deprecated standalone wizard ssl configuration to prevent mismatched request providers
• (docs) documented runtime pause/resume controls separately from session checkpoint resume.
• (docs) updated documentation with added more detailed examples and hits
• (debug) added compact STD fingerprint evidence counters for report-level QA
• (debug) added scan worker stall diagnostics and ensured queued tasks are always marked done after worker errors to avoid silent hangs during long-running requests
• (debug) added compact fingerprint evidence signals to fingerprint.txt for easier QA of runtime/infrastructure detection
• (dependencies) update dependencies to the latest versions
• (tests) added regression coverage for new WAF signatures, passive-header false-positive protection and fingerprint fallback isolation
• (tests) expanded coverage for transport healthcheck cleanup branches, OpenVPN liveness diagnostics and hardened indexof detection paths
• (tests) coverage gate remains configured at 99%

v5.15.2

• (enhancement) added compact pre-scan fingerprint summary with detected web stack and security posture
• (enhancement) added offline HSTS and preload-readiness detection to the existing --fingerprint pass without adding a new CLI flag
• (enhancement) stores security-header posture as fingerprint.security_headers.hsts with grade, max-age, includeSubDomains, preload, redirect and warning metadata
• (enhancement) preserves HSTS metadata in standard, text, CSV, HTML, SQLite, JSON and SARIF reports
• (docs) documented compact pre-scan fingerprint summary and HSTS / preload readiness output
• (tests) added regression coverage for compact fingerprint summary rendering
• (tests) added regression coverage for preload-ready, weak and HTTP-only HSTS handling plus report propagation
• (tests) coverage gate remains configured at 99%

v5.15.1

• (fix) removed literal opendoor markers from active fingerprint 404-baseline, HTTP calibration and DNS wildcard calibration probe paths
• (fix) fingerprint 404-baseline now uses a neutral randomized .well-known missing-resource path instead of /.opendoor-fingerprint-not-found-probe
• (tests) updated fingerprint, HTTP calibration and DNS wildcard calibration coverage for neutral probe paths
• (enhancement) added runtime-aware technology stack fingerprinting for PHP, Node.js, JavaScript, Python, Ruby, .NET, Java/JVM, Elixir and static-site targets
• (enhancement) preserved runtime stack metadata in fingerprint results as fingerprint.runtime
• (enhancement) included runtime stack fields in standard, text, CSV, HTML, SQLite, JSON and SARIF reports
• (enhancement) added runtime_signals storage to SQLite reports and runtime properties to SARIF results
• (enhancement) logo update
• (docs) documented runtime-aware fingerprinting and report fields
• (tests) added regression coverage for runtime detection and report propagation
• (tests) coverage gate remains configured at 99%

v5.15.0

• (feature) added SARIF 2.1.0 report output via --reports sarif for CI/CD security workflows
• (feature) SARIF reports are compatible with GitHub Code Scanning ingestion through github/codeql-action/upload-sarif
• (enhancement) mapped OpenDoor result buckets to stable SARIF rule identifiers and levels
• (enhancement) preserved URL, status code, response size, WAF, bypass and fingerprint metadata in SARIF result properties
• (enhancement) emitted target-level passive fingerprint metadata as a SARIF note result when --fingerprint data is available
• (docs) documented SARIF reports, GitHub Actions upload and CI/CD usage
• (tests) added SARIF reporter regression coverage
• (tests) coverage gate remains configured at 99%

v5.14.6

• (fix) avoided classifying passive Cloudflare CDN headers as blocked WAF responses
• (fix) preserved normal 301 and 404 classification for Cloudflare CDN responses so --auto-calibrate can build a usable baseline
• (fix) delayed --waf-safe-mode activation for isolated ordinary WAF blocks
• (fix) safe mode now activates immediately only for explicit challenge/rate-limit signals or after repeated blocked responses in a short rolling window
• (fix) blocked responses no longer trigger recursive expansion before safe mode activation
• (fix) preserved WAF safe-mode block-window state in session snapshots
• (tests) added regression coverage for passive Cloudflare CDN responses, isolated WAF blocks, threshold activation and immediate challenge/rate-limit activation

v5.14.5

• (enhancement) expanded the passive --fingerprint catalog with selected regional CMS and site-builder signatures
• (enhancement) added InstantCMS, Duda, Hostinger Website Builder, CMS.S3 / Megagroup, Webasyst / Shop-Script, Discuz! and NetCat detection
• (enhancement) added strong HTTP-visible infrastructure signatures for Hostinger, DDoS-Guard and Tencent Cloud
• (enhancement) intentionally skipped DNS/ASN-only and weak URL-only providers to avoid false positives
• (docs) updated fingerprinting documentation and recognized technology examples
• (tests) added regression coverage for every new fingerprint signature
• (tests) full unittest suite passes after integration
• (tests) coverage gate passes at 99%

v5.14.4

• (enhancement) improved --auto-calibrate for subdomain scans with DNS wildcard calibration
• (enhancement) added random subdomain baseline probes to detect wildcard and catch-all DNS responses
• (enhancement) subdomain candidates that resolve only to wildcard baseline addresses are classified into the calibrated bucket before HTTP probing
• (enhancement) DNS wildcard calibration remains opt-in through --scan subdomains --auto-calibrate and does not change default scan behaviour
• (enhancement) DNS wildcard baseline addresses are preserved in session calibration state
• (tests) added regression coverage for DNS wildcard baseline detection, candidate matching and runtime filtering
• (tests) full unittest suite passes after integration
• (tests) coverage gate passes at 99%

v5.14.3

• (enhancement) improved --auto-calibrate with lightweight semantic response diffing for soft-404 detection
• (enhancement) added visible-text, semantic phrase, semantic term, DOM-token and text-density calibration signals
• (enhancement) improved dynamic body normalization for emails, path-like fragments and long encoded tokens
• (enhancement) semantic calibration remains opt-in through the existing --auto-calibrate flow and does not change default scan behaviour
• (tests) added regression coverage for semantic soft-404 matching and calibration helper edge cases
• (tests) full unittest suite passes after integration
• (tests) coverage gate passes at 99%

v5.14.2

• (enhancement) extended --header-bypass with controlled path-manipulation probes after header-injection probes
• (enhancement) added safe path-bypass variants: trailing slash, double leading slash, dot segment, semicolon suffix, case variation and URL-encoded segment
• (enhancement) path-bypass probes are strict opt-in through the existing --header-bypass flow and do not change default scan behaviour
• (enhancement) successful path-bypass candidates are stored in the existing bypass result bucket
• (enhancement) added path-bypass report metadata: bypass=path, bypass_variant, bypass_value, bypass_url, bypass_from_code and bypass_to_code
• (enhancement) JSON, HTML, CSV and SQLite reports preserve path-bypass evidence through detailed report items
• (tests) added regression coverage for path-bypass generation, runtime reporting and debug output branches
• (tests) full unittest suite passes after integration (1221 tests)
• (tests) coverage gate passes at 99%