4 April 2022, v2.3.0-rc1


This is the first release candidate for v2.3.0 which features the GraphQL API for testing and feedback.


  • User profiles now have a role field for managing permissions in the upcoming GraphQL API

  • Added components for upcoming GraphQL API that are only available with local.yml for testing in development environments

    • New Docker container for Hasura GraphQL engine

    • Work-in-progress Hasura metadata for the GraphQL API

    • New HASURA_ACTION_SECRET environment variable in env templates

    • New utilities for generating and managing JSON Web Tokens for the GraphQL API

  • Added support for block quotes in report templates and WYSIWYG editor

  • Added ProjectInvite and ClientInvite models to support upcoming role-based access controls

  • Added a menu option to export a project scope to a text file from the project dashboard

    • Exports only the scope list for easy use with other tools–e.g., Nmap


  • Disabled L10N by default in favor of using DATE_FORMAT for managing the server's preferred date format (closes #193)

  • Updated env templates with a DATE_FORMAT configuration for managing your preferred format

    • See updated installation documentation on ghostwriter.wiki

  • User profiles now only show the user's role, groups, and Ghostwriter user status to the profile owner

  • Updated nginx.conf to align it with Mozilla's recommendations for nginx v1.21.1 and OpenSSL 1.1.1l

  • Toast messages for errors are no longer sticky so they do not have to be manually dismissed when covering UI elements

  • Domain list table now shows an "Expiry" column and "Categories" column now parses the new categorization JSON field data

  • Domain list filtering now includes a "Filter Expired" toggle that is on by default

    • Filters out domains with expiration dates in the past and auto_renew set to False even if the status is set to "Available"

  • The table on the domain list page and the menu on the domain details page will no longer disable the check out option if a domain's status is set to "Burned"

  • Simplified usage of the format_datetime filter

    • Filter now accepts only two arguments: the date and the new format string

    • The format string should use Django values (e.g., M d, Y) instead of values translated to Python's standard (e.g., %b %d, %Y)

  • Simplified usage of the add_says filter

    • Filter now accepts only two arguments: the date and an integer


  • v2.2.x usage of the format_datetime and add_days filters is deprecated in v2.3.0

    • Both filters will no longer accept Python-style strftime strings

    • Both filters no longer needs or accepts the current_format and format_str parameters

    • Templates using the old style will fail linting


  • Removed "WHOIS Privacy" column on domain list page to make room for more pertinent information


  • Bumped djangorestframework-api-key to v2.2.0 to fix REST API key creation (closes #197)

  • Overrode Django's get_full_name() method used for the admin site so the user's proper full name is displayed in history logs

  • Fixed project dashboard's "Import Oplog" button not pointing to the correct URL

  • Fixed URL conflicts with export links for domains, servers, and findings


  • Restricted edit and delete actions on notes to close possibility of other users editing or deleting notes they do not own

Last updated