diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,84 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.4.0.2] - 2018-10-05
+
+### Added
+- #125 Allow setting domain name for a cookie [@domenkozar]
+
+## Changed
+- bump http-api-data to 0.3.10 that includes Cookie orphan instances previously located in servant-auth-server [@phadej]
+- #114 Export `HasSecurity` typeclass [@rockbmb]
+
+## [0.4.0.1] - 2018-09-23
+
+### Security
+- #123 Session cookie did not apply SameSite attribute [@domenkozar]
+
+### Added
+- #112 HasLink instance for Auth combinator [@adetokunbo]
+- #111 Documentation for using hoistServer [@mschristiansen]
+- #107 Add utility functions for reading and writing a key to a file [@mschristiansen]
+
+## [0.4.0.0] - 2018-06-17
+
+### Added
+- Support GHC 8.4 by @phadej and @domenkozar
+- Support for servant-0.14 by @phadej
+- #96 Support for jose-0.7 by @xaviershay
+- #92 add `clearSession` for logout by @plredmond and @3noch
+- #95 makeJWT: allow setting Alg via defaultJWTSettings by @domenkozar
+- #89 Validate JWT against a JWKSet instead of JWK by @sopvop
+
+### Changed
+- #92 Rename CSRF to XSRF by @plredmond and @3noch
+- #92 extract 'XsrfCookieSettings' from 'CookieSettings' and make XSRF checking optional
+  by @plredmond and @3noch
+- #69 export SameSite by @domenkozar
+- #102 Reuse Servant.Api.IsSecure instead of duplicating ADT by @domenkozar
+
+### Deprecated
+- #92 Renamed 'makeCsrfCookie' to 'makeXsrfCookie' and marked the former as deprecated
+  by @plredmond and @3noc
+- #92 Made several changes to the structure of 'CookieSettings' which will require
+  attention by users who have modified the XSRF settings by @plredmond and @3noch
+
+### Security
+- #94 Force cookie expiration on serverside by @karshan
+
+## [0.3.2.0] - 2018-02-21
+
+### Added
+- #76 Export wwwAuthenticatedErr and elaborate its annotation by @defanor
+- Support for servant-0.14 by @phadej
+
+### Changed
+- Disable the readme executable for ghcjs builds by @hamishmack
+- #84 Make AddSetCookieApi type family open by @qnikst
+- #79 Make CSRF checks optional for GET requests by @harendra-kumar
+
+## [0.3.1.0] - 2017-11-08
+
+### Added
+- Support for servant-0.12 by @phadej
+
+## [0.3.0.0] - 2017-11-07
+
+### Changed
+- #47 'cookiePath' and 'xsrfCookiePath' added to 'CookieSettings' by @mchaver
+
+## [0.2.8.0] - 2017-05-26
+
+### Added
+- #45 Support for servant-0.11 by @phadej
+
+## [0.2.7.0] - 2017-02-11
+
+### Changed
+- #27 #41 'acceptLogin' and 'makeCsrfCookie' functions by @bts
diff --git a/servant-auth-server.cabal b/servant-auth-server.cabal
--- a/servant-auth-server.cabal
+++ b/servant-auth-server.cabal
@@ -1,5 +1,5 @@
 name:           servant-auth-server
-version:        0.4.0.1
+version:        0.4.0.2
 synopsis:       servant-server/servant-auth compatibility
 description:    This package provides the required instances for using the @Auth@ combinator
                 in your 'servant' server.
@@ -18,6 +18,8 @@
 tested-with:    GHC == 7.10.3, GHC == 8.0.2, GHC == 8.2.2, GHC == 8.4.3
 build-type:     Simple
 cabal-version:  >= 1.10
+extra-source-files:
+    CHANGELOG.md
 
 source-repository head
   type: git
@@ -40,7 +42,7 @@
     , crypto-api              >= 0.13 && < 0.14
     , data-default-class      >= 0.0  && < 0.2
     , entropy                 >= 0.3  && < 0.5
-    , http-api-data           >= 0.3.7 && < 0.4
+    , http-api-data           >= 0.3.10 && < 0.4
     , http-types              >= 0.9  && < 0.13
     , jose                    >= 0.6  && < 0.8
     , lens                    >= 4    && < 5
diff --git a/src/Servant/Auth/Server.hs b/src/Servant/Auth/Server.hs
--- a/src/Servant/Auth/Server.hs
+++ b/src/Servant/Auth/Server.hs
@@ -150,7 +150,6 @@
 import Servant.Auth.Server.Internal.JWT
 import Servant.Auth.Server.Internal.ThrowAll
 import Servant.Auth.Server.Internal.Types
-import Servant.Auth.Server.SetCookieOrphan      ()
 
 import Crypto.JOSE as Jose
 import Servant     (BasicAuthData (..))
diff --git a/src/Servant/Auth/Server/Internal/ConfigTypes.hs b/src/Servant/Auth/Server/Internal/ConfigTypes.hs
--- a/src/Servant/Auth/Server/Internal/ConfigTypes.hs
+++ b/src/Servant/Auth/Server/Internal/ConfigTypes.hs
@@ -64,13 +64,15 @@
   , cookieMaxAge      :: !(Maybe DiffTime)
   -- | At what time the cookie expires. Default: @Nothing@.
   , cookieExpires     :: !(Maybe UTCTime)
-  -- | The URL path and sub-paths for which this cookie is used. Default @Just "/"@.
+  -- | The URL path and sub-paths for which this cookie is used. Default: @Just "/"@.
   , cookiePath        :: !(Maybe BS.ByteString)
+  -- | Domain name, if set cookie also allows subdomains. Default: @Nothing@.
+  , cookieDomain      :: !(Maybe BS.ByteString)
   -- | 'SameSite' settings. Default: @SameSiteLax@.
   , cookieSameSite    :: !SameSite
   -- | What name to use for the cookie used for the session.
   , sessionCookieName :: !BS.ByteString
-  -- | The optional settings to use for XSRF protection. Default @Just def@.
+  -- | The optional settings to use for XSRF protection. Default: @Just def@.
   , cookieXsrfSetting :: !(Maybe XsrfCookieSettings)
   } deriving (Eq, Show, Generic)
 
@@ -83,6 +85,7 @@
     , cookieMaxAge      = Nothing
     , cookieExpires     = Nothing
     , cookiePath        = Just "/"
+    , cookieDomain      = Nothing
     , cookieSameSite    = SameSiteLax
     , sessionCookieName = "JWT-Cookie"
     , cookieXsrfSetting = Just def
diff --git a/src/Servant/Auth/Server/Internal/Cookie.hs b/src/Servant/Auth/Server/Internal/Cookie.hs
--- a/src/Servant/Auth/Server/Internal/Cookie.hs
+++ b/src/Servant/Auth/Server/Internal/Cookie.hs
@@ -101,6 +101,7 @@
   { setCookieMaxAge = cookieMaxAge cookieSettings
   , setCookieExpires = cookieExpires cookieSettings
   , setCookiePath = cookiePath cookieSettings
+  , setCookieDomain = cookieDomain cookieSettings
   , setCookieSecure = case cookieIsSecure cookieSettings of
       Secure -> True
       NotSecure -> False
diff --git a/src/Servant/Auth/Server/SetCookieOrphan.hs b/src/Servant/Auth/Server/SetCookieOrphan.hs
--- a/src/Servant/Auth/Server/SetCookieOrphan.hs
+++ b/src/Servant/Auth/Server/SetCookieOrphan.hs
@@ -1,19 +1,3 @@
-{-# OPTIONS_GHC -fno-warn-orphans #-}
-module Servant.Auth.Server.SetCookieOrphan () where
-
-import Blaze.ByteString.Builder (toByteString)
-import Data.Text.Encoding       (decodeUtf8, encodeUtf8)
-import Web.Cookie               (SetCookie, parseSetCookie, renderSetCookie)
-import Web.HttpApiData          (FromHttpApiData (..), ToHttpApiData (..))
-import Data.ByteString.Conversion (ToByteString(..))
-
-instance FromHttpApiData SetCookie where
-    parseUrlPiece = parseHeader . encodeUtf8
-    parseHeader = Right . parseSetCookie
-
-instance ToHttpApiData SetCookie where
-    toUrlPiece = decodeUtf8 . toHeader
-    toHeader = toByteString . renderSetCookie
-
-instance ToByteString SetCookie where
-    builder = renderSetCookie
+module Servant.Auth.Server.SetCookieOrphan
+    {-# DEPRECATED "instance exists in http-api-data-0.3.9. This module will be removed in next major release." #-}
+    () where
