A new View Derivers concept has been added to Pyramid to allow framework authors to inject elements into the standard Pyramid view pipeline and affect all views in an application. This is similar to a decorator except that it has access to options passed to config.add_view and can affect other stages of the pipeline such as the raw response from a view or prior to security checks. See https://github.com/Pylons/pyramid/pull/2021

Added a require_csrf view option which will enforce CSRF checks on requests with an unsafe method as defined by RFC2616. If the CSRF check fails a BadCSRFToken exception will be raised and may be caught by exception views (the default response is a 400 Bad Request ). This option should be used in place of the deprecated check_csrf view predicate which would normally result in unexpected 404 Not Found response to the client instead of a catchable exception. See Checking CSRF Tokens Automatically, https://github.com/Pylons/pyramid/pull/2413 and https://github.com/Pylons/pyramid/pull/2500

Added a new method, pyramid.config.Configurator.set_csrf_default_options() , for configuring CSRF checks used by the require_csrf=True view option. This method can be used to turn on CSRF checks globally for every view in the application. This should be considered a good default for websites built on Pyramid. It is possible to opt-out of CSRF checks on a per-view basis by setting require_csrf=False on those views. See Checking CSRF Tokens Automatically and https://github.com/Pylons/pyramid/pull/2413 and https://github.com/Pylons/pyramid/pull/2518

Added an additional CSRF validation that checks the origin/referrer of a request and makes sure it matches the current request.domain . This particular check is only active when accessing a site over HTTPS as otherwise browsers don't always send the required information. If this additional CSRF validation fails a BadCSRFOrigin exception will be raised and may be caught by exception views (the default response is 400 Bad Request ). Additional allowed origins may be configured by setting pyramid.csrf_trusted_origins to a list of domain names (with ports if on a non standard port) to allow. Subdomains are not allowed unless the domain name has been prefixed with a . . See https://github.com/Pylons/pyramid/pull/2501

Added a new pyramid.session.check_csrf_origin() API for validating the origin or referrer headers against the request's domain. See https://github.com/Pylons/pyramid/pull/2501

Subclasses of pyramid.httpexceptions.HTTPException will now take into account the best match for the clients Accept header, and depending on what is requested will return text/html , application/json or text/plain . The default for */* is still text/html , but if application/json is explicitly mentioned it will now receive a valid JSON response. See https://github.com/Pylons/pyramid/pull/2489

A new event, pyramid.events.BeforeTraversal , and interface pyramid.interfaces.IBeforeTraversal have been introduced that will notify listeners before traversal starts in the router. See Request Processing as well as https://github.com/Pylons/pyramid/pull/2469 and https://github.com/Pylons/pyramid/pull/1876

A new method, pyramid.request.Request.invoke_exception_view() , which can be used to invoke an exception view and get back a response. This is useful for rendering an exception view outside of the context of the EXCVIEW tween where you may need more control over the request. See https://github.com/Pylons/pyramid/pull/2393

A global permission set via pyramid.config.Configurator.set_default_permission() will no longer affect exception views. A permission must be set explicitly on the view for it to be enforced. See https://github.com/Pylons/pyramid/pull/2534

Allow a leading = on the key of the request param predicate. For example, '=abc=1' is equivalent down to request.params['=abc'] == '1' . See https://github.com/Pylons/pyramid/pull/1370

Allow using variable substitutions like %(LOGGING_LOGGER_ROOT_LEVEL)s for logging sections of the .ini file and populate these variables from the pserve command line -- e.g.: pserve development.ini LOGGING_LOGGER_ROOT_LEVEL=DEBUG This support is thanks to the new global_conf option on pyramid.paster.setup_logging() . See https://github.com/Pylons/pyramid/pull/2399