Version 4.2.7

Release Date: October 6, 2022

4.2.7 release of CodeIgniter4


  • Secure or HttpOnly flag set in ConfigCookie is not reflected in Cookies issued was fixed. See the Security advisory GHSA-745p-r637-7vvp for more information.

  • Fixed a bug that prevents CSP headers from being sent when Config\ContentSecurityPolicy::$autoNonce is false.


  • The default values of the parameters in set_cookie() and CodeIgniter\HTTP\Response::setCookie() has been fixed. Now the default values of $secure and $httponly are null, and these values will be replaced with the Config\Cookie values.

  • Time::__toString() is now locale-independent. It returns database-compatible strings like ‘2022-09-07 12:00:00’ in any locale.

  • The Validation rule Validation\Rule::required_without() and Validation\StrictRules\Rule::required_without() parameters have been changed and the logic of these rule has also been fixed.

Message Changes

  • Fixed typos in some items in Language/en/Email.php.

  • Added missing item valid_json in Language/en/Validation.php.

Bugs Fixed

See the repo’s for a complete list of bugs fixed.