Added

• fs: Add ServeDir::{fallback, not_found_service} for calling another service if
  the file cannot be found (#243)
• fs: Add SetStatus to override status codes (#248)
• ServeDir and ServeFile now respond with 405 Method Not Allowed to requests where the
  method isn't GET or HEAD (#249)
• cors: Added CorsLayer::very_permissive which is like
  CorsLayer::permissive except it (truly) allows credentials. This is made
  possible by mirroring the request's origin as well as method and headers
  back as CORS-whitelisted ones (#237)
• cors: Allow customizing the value(s) for the Vary header (#237)

Changed

• cors: Removed allow-credentials: true from CorsLayer::permissive.
  It never actually took effect in compliant browsers because it is mutually
  exclusive with the * wildcard (Any) on origins, methods and headers (#237)
• cors: Rewrote the CORS middleware. Almost all existing usage patterns
  will continue to work. (BREAKING) (#237)
• cors: The CORS middleware will now panic if you try to use Any in
  combination with .allow_credentials(true). This configuration worked
  before, but resulted in browsers ignoring the allow-credentials header,
  which defeats the purpose of setting it and can be very annoying to debug
  (#237)

Fixed

• fs: Fix content-length calculation on range requests (#228)

Fixed

• Fix content-length calculation on range requests (#228)

Added

• Added CatchPanic middleware which catches panics and converts them
  into 500 Internal Server responses (#214)

Fixed

• Make parsing of Accept-Encoding more robust (#220)

Changed

• Update to tokio-util 0.7 (#221)

Fixed

• The CORS layer / service methods allow_headers, allow_methods, allow_origin
  and expose_headers now do nothing if given an empty Vec, instead of sending
  the respective header with an empty value (#218)

Fixed

• Add Vary headers for CORS preflight responses (#216)

Added

• Support Last-Modified (and friends) headers in ServeDir and ServeFile (#145)
• Add AsyncRequireAuthorization::layer (#195)

Fixed

• Fix build error for certain feature sets (#209)
• Cors: Set Vary header (#199)
• ServeDir and ServeFile: Fix potential directory traversal attack due to
  improper path validation on Windows (#204)

Added

• builder: Add ServiceBuilderExt which adds methods to tower::ServiceBuilder for
  adding middleware from tower-http (#106)
• request_id: Add SetRequestId and PropagateRequestId middleware (#150)
• trace: Add DefaultMakeSpan::level to make log level of tracing spans easily configurable (#124)
• trace: Add LatencyUnit::Seconds for formatting latencies as seconds (#179)
• trace: Support customizing which status codes are considered failures by GrpcErrorsAsFailures (#189)
• compression: Support specifying predicates to choose when responses should
  be compressed. This can be used to disable compression of small responses,
  responses with a certain content-type, or something user defined (#172)
• fs: Ability to serve precompressed files (#156)
• fs: Support Range requests (#173)
• fs: Properly support HEAD requests which return no body and have the Content-Length header set (#169)

Changed

• AddAuthorization, InFlightRequests, SetRequestHeader,
  SetResponseHeader, AddExtension, MapRequestBody and MapResponseBody
  now requires underlying service to use http::Request<ReqBody> and
  http::Response<ResBody> as request and responses (#182) (BREAKING)
• set_header: Remove unnecessary generic parameter from SetRequestHeaderLayer
  and SetResponseHeaderLayer. This removes the need (and possibility) to specify a
  body type for these layers (#148) (BREAKING)
• compression, decompression: Change the response body error type to
  Box<dyn std::error::Error + Send + Sync>. This makes them usable if
  the body they're wrapping uses Box<dyn std::error::Error + Send + Sync> as
  its error type which they previously weren't (#166) (BREAKING)
• fs: Change response body type of ServeDir and ServeFile to
  ServeFileSystemResponseBody and ServeFileSystemResponseFuture (#187) (BREAKING)
• auth: Change AuthorizeRequest and AsyncAuthorizeRequest traits to be simpler (#192) (BREAKING)

Removed

• compression, decompression: Remove BodyOrIoError. Its been replaced with Box<dyn std::error::Error + Send + Sync> (#166) (BREAKING)
• compression, decompression: Remove the compression and decompression feature. They were unnecessary
  and compression-full/decompression-full can be used to get full
  compression/decompression support. For more granular control, [compression|decompression]-gzip,
  [compression|decompression]-br and [compression|decompression]-deflate may
  be used instead (#170) (BREAKING)

• New middleware: Add Cors for setting [CORS] headers (#112)
• New middleware: Add AsyncRequireAuthorization (#118)
• Compression: Don't recompress HTTP responses (#140)
• Compression and Decompression: Pass configuration from layer into middleware (#132)
• ServeDir and ServeFile: Improve performance (#137)
• Compression: Remove needless ResBody::Error: Into<BoxError> bounds (#117)
• ServeDir: Percent decode path segments (#129)
• ServeDir: Use correct redirection status (#130)
• ServeDir: Return 404 Not Found on requests to directories if
  append_index_html_on_directories is set to false (#122)

0.1.1 (July 2, 2021)

• Add example of using SharedClassifier.
• Add StatusInRangeAsFailures which is a response classifier that considers
  responses with status code in a certain range as failures. Useful for HTTP
  clients where both server errors (5xx) and client errors (4xx) are considered
  failures.
• Implement Debug for NeverClassifyEos.
• Update iri-string to 0.4.
• Add ClassifyResponse::map_failure_class and ClassifyEos::map_failure_class
  for transforming the failure classification using a function.
• Clarify exactly when each Trace callback is called.
• Add AddAuthorizationLayer for setting the Authorization header on
  requests.

Breaking changes

None.