---
title: New in Web Agent 2025.x
description: Web Agent 2025.11 is a minor release that introduces new features, functional enhancements, and fixes.
component: web-agents
version: release-notes
page_id: web-agents::whats-new-2025
canonical_url: https://docs.pingidentity.com/web-agents/release-notes/whats-new-2025.html
section_ids:
whats-new-2025.11: Web Agent 2025.11
jwt-signature-validation-change: JWT signature validation
one-level-wildcards: One-level wildcard Not-Enforced rules
apache-errordocument: Apache ErrorDocument authorization support
policy-decsion-metrics-202511: Policy decision monitoring metrics
whats-new-2025.9: Web Agent 2025.9
apache-mod-headers: Apache mod_headers
whats-new-2025.6: Web Agent 2025.6
fips: FIPS 140 support
public-client-cert-friendly: Public client certificate friendly name
tls13-security-protocol-schannel: TLSv1.3 security protocol
policy-decision-metric: Policy decision monitoring metric
web_agent_2025_3_x: Web Agent 2025.3.x
whats-new-2025.3.1: Web Agent 2025.3.1
whats-new-2025.3: Web Agent 2025.3
csp-frame-ancestors: Content Security Policy header - frame-ancestors
agent-authentication-change: Agent authentication to Advanced Identity Cloud and AM
---
# New in Web Agent 2025.x
## Web Agent 2025.11
Web Agent 2025.11 is a minor release that introduces new features, functional enhancements, and fixes.
### JWT signature validation
When the agent is configured to [validate the JWT signature locally](https://docs.pingidentity.com/web-agents/2025.11/properties-reference/com.forgerock.agents.jwt.validate.signature.locally.html), it now returns a 403 response if validation fails. Previously, the agent would clear the cookie and redirect the user to the login page.
### One-level wildcard Not-Enforced rules
Trailing forward slashes (`/`) are now ignored when evaluating Not-Enforced rules with one level wildcards (`-*-`). This change ensures that requests to resources with a trailing forward slash are correctly matched by Not-Enforced rules that use one-level wildcards.
### Apache ErrorDocument authorization support
A new `AmAuthErrorDocument` Apache directive lets you switch authorization on or off for ErrorDocument internal file or CGI redirects.
Switch this on when you have ErrorDocuments that use CGI scripts and require authorization.
Learn more in [AmAuthErrorDocument directive to authorize ErrorDocument internal redirects](https://docs.pingidentity.com/web-agents/2025.11/installation-guide/apache.html#apache-errordocument).
### Policy decision monitoring metrics
We've made changes to the policy decision cache metrics to make it clearer which cache is being used.
The existing `cache_decision_total` metric is now updated when the [AM\_POLICY\_CACHE\_MODE](https://docs.pingidentity.com/web-agents/2025.11/user-guide/configure-envvars.html#envvar-AM_POLICY_CACHE_MODE) environment variable is set to `on` and a new `url_cache_decision_total` metric is updated when this environment variable is set to `off`.
Learn more in [policy decision metrics](https://docs.pingidentity.com/web-agents/2025.11/maintenance-guide/monitoring.html#policy-decision-metrics).
## Web Agent 2025.9
Web Agent 2025.9 is a minor release that introduces new features, functional enhancements, and fixes.
### Apache mod\_headers
We've made changes to the Apache Web Agent to make it compatible with `mod_headers`. This allows you to set security headers, including CORS responses, in the Apache configuration using `mod_headers`.
Learn more in [Apache Module mod\_headers](https://httpd.apache.org/docs/current/mod/mod_headers.html) in the Apache documentation.
| | |
| - | --------------------------------------------------------------------------------------------------------- |
| | These changes have been removed in Web Agent 2025.11 because they can cause authentication flows to fail. |
## Web Agent 2025.6
Web Agent 2025.6 is a minor release that introduces new features, functional enhancements, and fixes.
### FIPS 140 support
We've made changes to Web Agent to provide FIPS 140 compliance.
* Unix-based agents support the OpenSSL 3.1.2 FIPS module, which is a FIPS 140-3 compliant security provider.
* Windows-based agents support the use of FIPS compliant algorithms to make them FIPS 140-2 compliant.
Learn more in [FIPS 140 compliance](https://docs.pingidentity.com/web-agents/2025.11/installation-guide/secure-connections.html#fips).
### Public client certificate friendly name
A new [Public Client Certificate Friendly Name](https://docs.pingidentity.com/web-agents/2025.11/properties-reference/com.forgerock.agents.config.win.clientcert.friendly.name.html) property lets you set the friendly name used to look up the client certificate in the Windows certificate store for agents using Schannel.
Use this new property instead of the [Public Client Certificate File Name](https://docs.pingidentity.com/web-agents/2025.11/properties-reference/com.forgerock.agents.config.cert.file.html) property to set the certificate friendly name.
The [Public Client Certificate File Name](https://docs.pingidentity.com/web-agents/2025.11/properties-reference/com.forgerock.agents.config.cert.file.html) property should now be used only for the name of the file that contains the client certificate chain.
### TLSv1.3 security protocol
The TLS 1.3 security protocol can now be disabled for Windows Secure Channel API (Schannel) if required by adding `-TLSv1.3` to the [Security Protocol List](https://docs.pingidentity.com/web-agents/2025.11/properties-reference/org.forgerock.agents.config.tls.html).
### Policy decision monitoring metric
We've added a new `authenticated_return_total` metric to the [policy decision metrics](https://docs.pingidentity.com/web-agents/2025.11/maintenance-guide/monitoring.html#policy-decision-metrics) returned by the Prometheus endpoint. This metric provides a count of the requests returned after authentication.
It's useful to monitor this metric with the `not_authenticated_total` metric as a possible indicator of a Denial of Service (DoS) attack.
## Web Agent 2025.3.x
### Web Agent 2025.3.1
Web Agent 2025.3.1 is a maintenance release. It contains no new features.
### Web Agent 2025.3
Web Agent 2025.3 is a major release that introduces new features, functional enhancements, and fixes.
#### Content Security Policy header - `frame-ancestors`
We've made changes to the Web Agent to provide support for the Content Security Policy (CSP) `frame-ancestors` directive, which lets you specify which parent sources can embed a page in an iframe (and other HTML elements).
The agent sets this directive on direct responses, such as authentication and PDP, so this only affects pages related to these responses.
By default, the Web Agent sets this directive to `self`, which only allows the site hosting the agent to embed pages in iframes.
The following new bootstrap properties are available:
* The [Frame Ancestors None](https://docs.pingidentity.com/web-agents/2025.11/properties-reference/com.forgerock.agents.csp.frame.ancestors.none.html) property controls whether pages can be embedded in iframes or not.
* The [Frame Ancestors Sources](https://docs.pingidentity.com/web-agents/2025.11/properties-reference/com.forgerock.agents.csp.frame.ancestors.sources.html) property controls which parent sources can embed pages in a ``, `