Changelog

A chronological record of notable changes to ipinsights.io — new data sources, API updates, sensor network expansions and platform improvements.

Version 1.3 — 19 March 2026

  • New Attack Surface Monitoring (ASM) module — continuous monitoring of IPs, CIDR ranges, and domains with an 8-phase scanning pipeline (masscan, nmap, SSL, DNS, HTTP, WHOIS, exposure detection, CVE matching). #88 #103 #105 #106
  • New ASM dashboard, asset management, group management, exposure triage, and scheduled PDF reports. #96 #99 #100 #101
  • New Domain monitoring support in ASM with DNS and HTTP scanning. #113
  • New Campaign Tracker — automated clustering of IPs into coordinated attack campaigns using behavioural, temporal, and infrastructure signals. #153
  • New Temporal Analysis report — time-of-day attack heatmaps, campaign detection signals, and IP lifespan drift analytics. #151
  • New Blog CMS with posts, tags, admin interface, search, and filtering. #136
  • New Automated weekly threat landscape blog reports covering IP observations, threat categories, top countries, and highest-risk ISPs. #140 #147
  • New AS Administration page — admin interface for classifying Autonomous Systems by type (Hosting, Residential, Corporate, Education, Military, Government, IP Transit, etc.). #149
  • New Education added to dominant type classifications for universities and academic networks. #150
  • New Hosting Provider Breakdown report tab with doughnut chart and per-ISP table. #146
  • New Validated Attackers report tab — IPs observed by IPInsights honeypot sensor network. #144
  • New Dominant type analytics with military (is_mi), government (is_gov), and residential (is_residential) classification columns. #148
  • New IP Fingerprint card on detail page — browser, device type, and OS data from user agent analysis. #123 #124
  • New IP age display and rearranged detail cards on the IP details page. #131
  • New Sparkline chart showing attack activity over the last 24 hours on the dashboard. #141
  • New Verified Attacker badge in Security Flags card for IPs seen by IPInsights honeypot sensors. #139
  • New Attackers Seen In Last Hour dashboard stat replacing IPv4 Addresses Analysed, with clickable paginated drilldown. #132 #133
  • New TOR and I2P node counts added to main page stats block. #120
  • New CIDR-aggregated blocklist format alongside plain text blocklist. #121
  • New Recorded Attacks counter (seen_count) on IP detail pages. #138
  • New Cron script to auto-enrich unenriched honeypot-listed IPs. #145
  • Improved Pre-computed dashboard statistics with database indexes for faster initial page load. #126
  • Improved Reports page caching with cache warming and longer TTLs for improved load times. #155
  • Improved Removed 1,000 cap on IP count displayed in dashboard map tooltip. #137
  • Improved Skip storing user agent data when browser is detected as ipinsights.io. #130
  • Improved Weekly report renamed to “Weekly Threat Landscape” with new vs. repeat IPs analysis. #147
  • Improved Updated documentation (README, llms.txt) for all recent features. #156
  • Improved Beautified JSON display in ASM exposure detail views. #118 #119
  • Fixed Incorrect statistical data — sparkline and temporal stats now filtered to honeypot source only. #159
  • Fixed Verified Attacker badge only matching IPInsights Honeypot source instead of all sources. #142
  • Fixed Attackers Seen In Last Hour stat filtered to only count IPInsights Honeypot source. #143
  • Fixed Inline onclick handler moved to addEventListener for CSP compliance. #135
  • Fixed User-Agent forwarding to apiip.net and objects=userAgent parameter handling. #128 #129
  • Fixed ASM scan engine issues — domain name scanning, slow masscan, missing port details, CVE match rule errors, and rescan button. #108 #109 #110 #111 #112 #115 #116 #117
  • Fixed ASM module disabled via ASM_ENABLED feature flag by default. #134
  • Security v1.3 security review — added auth gates to ASM API endpoints, hardened CSV upload validation. #157

Version 1.2 — 24 February 2026

  • New Threat intelligence dashboard with interactive world heat map on the homepage. #30 #31 #33
  • New Community voting — authenticated users can flag IPs as malicious or clean, factored into threat assessment. #32
  • New Dedicated IP Lookup page separated from the dashboard. #36
  • New High Risk ISPs report with PDF export and country filtering. #43 #63 #64
  • New Tor Exit Node ISPs report with world map. #48
  • New P2P blocklists for military, government, and ISP IP range enrichment. #53 #55
  • New Per-user API rate limit management with self-service increase requests. #44
  • New Support page with contact form. #60
  • New About page and navigation restructured with dropdown menus. #61
  • New Interactive Cytoscape.js network map with AS route map and drill-down. #66 #68
  • New Canonical per-IP pages with SEO meta tags, structured data, and share buttons. #72
  • New STIX 2.1 bundle format added to blocklist downloads. #73
  • New Sensor Network & Methodology page documenting data collection and scoring. #75
  • New Interactive drill-down on dashboard charts (country heat map and category pie chart). #78
  • New SEO metadata, Open Graph tags, robots.txt, sitemap.xml, and llms.txt for AI navigation. #70
  • New /.well-known/security.txt (RFC 9116) for security researchers. #77
  • API Added ASN and CIDR block lookup endpoints to the REST API. #79
  • API Added community_votes and p2p_blocklists fields to /api/v1/lookup response.
  • API Rate limits documented across API, web, and login endpoints. #74
  • Improved Pre-computed ISP risk scores via hourly cron with comprehensive threat scoring. #46 #52
  • Improved Multi-threaded IP enrichment with regional priority queue and pcntl_fork() workers. #76
  • Improved Query optimisation for 25M+ rows — added indexes, eliminated N+1 blacklist lookups, bounded result sets. #59
  • Improved Better error handling — replaced generic "Network error" with actionable messages across all AJAX endpoints. #57
  • Improved Database fallback when apiip.net lookup fails. #56
  • Improved World heat map colour scale: yellow-to-red severity gradient with 1,000 IP cap. #37 #39
  • Improved Self-hosted jsvectormap to fix CDN MIME-type blocking. #34
  • Improved ISP risk score data freshness timestamp shown on reports page. #47
  • Improved Reports nav link visible to all users. #67
  • Improved Inline network map filtered to searched IP + top 5 threat nodes. #40
  • Fixed Redis SERIALIZER_JSON returning stdClass instead of arrays, crashing IP lookups. #35
  • Fixed FOaaS false positives blocking user registration and strong passwords. #41 #45
  • Fixed ISP risk scores aggregating per (as_number, country_code) instead of per AS number. #51
  • Fixed Tor Exit Nodes world map blocked by CSP. #50
  • Fixed PHP parse error in IpEnrichment.php (missing closing brace). #49
  • Fixed Missing migration for community_votes table. #38
  • Fixed Duplicate named parameter in P2P blocklist query. #58
  • Fixed URL-encoded provider file paths with spaces in P2P blocklist fetcher. #54
  • Security v1.2 security review — rate limiting on registration and support forms, Cache-Control on authenticated pages, object-src 'none' in CSP, SameSite on session cookie clear. #71
  • Security FOaaS IP whitelist and config option to disable attack detector. #42 #62

Version 1.1 — 22 February 2026

  • New Network map with AS tree diagram showing IP nodes grouped by Autonomous System. #25
  • New Inline network map on lookup results, scoped to the looked-up IP's AS name. #26
  • New ISP lookup by AS Number or AS Name with aggregated ISP risk scoring. #28
  • Fixed Network map nodes showing 0/100 threat score — now uses calculated threat assessment. #27
  • Security v1.1 security review — fixed XSS in showAdminAlert(), alert type injection, deprecated X-XSS-Protection, missing SRI on Bootstrap CSS, wrong escaping context in network map, missing IP validation on API endpoint. #29

Version 1.0 — 22 February 2026

  • New Application bootstrap (includes/bootstrap.php) — config loading, class autoloader, security headers, and session initialisation. #1
  • New REST API v1 endpoint at /api/v1/lookup with API key authentication and per-user rate limiting. #1
  • Data Added 13 new threat intelligence feeds (AbuseIPDB, Firehol Level 1, ipsum, ThreatFox IOCs, Binary Defense, and more), bringing total to 23. #3
  • New Daily cron job to purge stale blacklist entries unseen for 14+ days. #4
  • New FOaaS attack detection — records attacker IPs in the database, adds "IPs that Attacked Us" stat, serves themed 403 insult page. #6
  • New Custom error pages for HTTP 400, 403, 404 and 500. #7
  • New Integration guide page with step-by-step Wazuh active-response integration. #9
  • New RFC 1918 addresses return informational response instead of error; exempt from rate limiting. #10
  • New Blocklist download page with 6 formats — plain text, CSV, iptables, UFW, Check Point, and Cisco ACL. #16
  • New Admin user management panel on the profile page with password reset capability. #17
  • New WHOIS data lookup, storage, and display with Registration, Contacts, and Raw WHOIS cards. #19
  • New Cron script to auto-enrich unenriched blacklisted IPs with geolocation, ISP, WHOIS, and threat data. #20
  • New Visitor stats (24h / 7d / 30d unique visitors) on admin profile page. #21
  • New Reverse DNS hostname lookup via host command during IP enrichment. #23
  • New Security review page documenting all findings and verified controls. #13
  • New Sales email notification when a user exceeds their API hourly rate limit. #12
  • Improved Blacklist scores degrade linearly over 90 days instead of hard-deleting entries. #18
  • Improved WHOIS cards moved inside the result grid alongside Security Flags. #22
  • Improved FOaaS ban duration reduced to 3 minutes; added ban clear script. #15
  • Improved Full apiip.net field mapping fix — all connection{} and security{} sub-object fields now correctly persisted. #11
  • Improved Updated Firehol Level 1 blacklist feed to canonical upstream source. #14
  • Fixed "Invalid security token" error on second search — CSRF token now updated unconditionally. #5
  • Fixed FOaaS SSRF patterns causing false positives on private IP addresses and reverse proxies. #8
  • Fixed Intermittent CSRF and network errors — changed to per-session tokens, added Content-Type validation before response.json(). #13
  • Fixed Blocklist risk scoring weights — per-entry score increased from 20 to 50, cap raised to 85; API Threat Score now displays calculated assessment. #24
  • Fixed Cache::flushPattern() stripping prefix incorrectly with str_replace. #1
  • Security MD5 → SHA-256 in rate-limit Redis key derivation. #1
  • Security XSS fix in showAlert() — user messages routed through textContent before innerHTML. #1
  • Security Password length check changed from strlen to mb_strlen to prevent multi-byte character bypass. #1
  • Security CSP policy updated for HubSpot embedded scripts. #13

Version 0.1 — 20 February 2026 — Initial Release

  • New Core IP lookup and enrichment via apiip.net API.
  • New MySQL database with Redis caching layer.
  • New User authentication, registration, and API key management.
  • New Blacklist aggregation from 10 threat intelligence feeds.
  • New Threat scoring algorithm with multi-factor assessment.
  • New Light, Dark, and VT100 terminal theme support.
  • New API documentation page.
  • Sensors Initial deployment of honeypot sensor network.

Label Guide

New New feature or page Improved Enhancement to existing functionality Fixed Bug fix Security Security improvement API API change or addition Data New data source or feed Sensors Honeypot network expansion