Summary

Added support for the clear-site-data header. This allows consumers of the middleware to set that header to specific URLs (such as logout) which informs the browser that it should clear specific site data when it recieves the header.

Be sure to read the relevant documentation on the new header to learn the details of how to leverage it. For instance, this header is NOT included by default because it is potentially destructive.

What's Changed

• feature/frozen-dictionary by @jamie-taylor-rjj in #155
• feature/list-of-headers-in-docs by @jamie-taylor-rjj in #156
• Bugfix/typos by @jamie-taylor-rjj in #157
• feature/list-of-headers-in-docs by @jamie-taylor-rjj in #158
• Bugfix/typos by @jamie-taylor-rjj in #159
• Feature/cross origin opener policy by @GaProgMan in #160
• Fixed links to docs pages for supported headers on index page by @GaProgMan in #161
• Bugfix/docs links by @GaProgMan in #162
• Fix readme: Http header syntax highlighting by @NickNiebling in #163
• Feature/cross origin embedder policy by @GaProgMan in #164
• Feature/cross origin embedder policy by @GaProgMan in #165
• Fixed some very small docs issues by @GaProgMan in #166
• Bugfix/coep default header value by @GaProgMan in #167
• Bump nokogiri from 1.16.5 to 1.18.3 in /docs by @dependabot[bot] in #169
• Bump uri from 0.13.0 to 0.13.2 in /docs by @dependabot[bot] in #171
• Update SECURITY.md by @jpenny1993 in #176
• Fix/documentation typos by @jamie-taylor-rjj in #177
• Feature/logging by @jamie-taylor-rjj in #179
• Fix/logging changelog update by @jamie-taylor-rjj in #181
• Fix/logging changelog update by @jamie-taylor-rjj in #182
• Added documentation for CSP by @jamie-taylor-rjj in #183
• Bugfix/primary constructor editorconfig by @jamie-taylor-rjj in #184
• Bump nokogiri from 1.18.3 to 1.18.9 in /docs by @dependabot[bot] in #180
• Bugfix/data directive by @jamie-taylor-rjj in #186
• docs: sync changelog to docs directory by @github-actions[bot] in #187
• Bump rexml from 3.3.9 to 3.4.2 in /docs by @dependabot[bot] in #188

New Contributors

• @NickNiebling made their first contribution in #163
• @dependabot[bot] made their first contribution in #169
• @jpenny1993 made their first contribution in #176

Full Changelog: v9.6.0...9.9.0

By leveraging an in-memory dictionary which we populate on the first run through the Invoke method, we can drastically speed up the execution speed whilst reducing the memory footprint of the middleware class.

Also included are a number of changes to the documentation site.

What's Changed

• Feature/docs basic entries by @GaProgMan in #122
• Feature/docs basic entries by @GaProgMan in #123
• Feature/docs basic entries by @GaProgMan in #124
• Feature/docs basic entries by @GaProgMan in #125
• Feature/docs basic entries by @GaProgMan in #126
• Feature/docs basic entries by @GaProgMan in #127
• Feature/docs basic entries by @GaProgMan in #128
• Feature/docs basic entries by @GaProgMan in #129
• Feature/optimisations for header value builders by @GaProgMan in #130
• Feature/docs basic entries by @GaProgMan in #131
• Feature/docs basic entries by @GaProgMan in #132
• Simplification of project layout; Updated all relevant GitHub actions files by @GaProgMan in #133
• Feature/docs basic entries by @GaProgMan in #134
• Fixed #135 by replacing the incorrect default values for the Cache-Control header with the correct ones. by @jamie-taylor-rjj in #136
• Feature/configuration docs by @jamie-taylor-rjj in #137
• Feature/docs basic entries by @GaProgMan in #138
• Feature/add issue types by @jamie-taylor-rjj in #139
• Feature/ignore provided urls by @jamie-taylor-rjj in #142
• Attempted to add manual steps for the CodeQL yml file by @jamie-taylor-rjj in #143
• Feature/adding integration tests by @jamie-taylor-rjj in #144
• [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in #145
• Bugfix/fix release ci by @GaProgMan in #146
• Fix .NET SDK mismatches in actions by @jamie-taylor-rjj in #147
• Add Attestations to build and release workflow by @GaProgMan in #148
• Updated docs for attestations on release by @jamie-taylor-rjj in #150
• Fix for images not displaying in attestations docs by @GaProgMan in #151
• Header Caching by @GaProgMan in #152
• Bugfix/editorconfig bug by @jamie-taylor-rjj in #154

New Contributors

• @step-security-bot made their first contribution in #145

Full Changelog: v9.1.0...v9.6.0

Summary

It's not possible for ASP .NET Core to remove the X-Powered-By header. As such, even though the OWASP Secure Headers project recommends removing it, OwaspHeaders.Core no longer attempts to remove it.

This is because ASP .NET Core cannot remove this header, as it's set at the reverse proxy level. A solution has been provided in the Server Header: A Warning section of the readme and package documentation.

What's Changed

• Feature/docs basic entries by @GaProgMan in #122
• Feature/docs basic entries by @GaProgMan in #123
• Feature/docs basic entries by @GaProgMan in #124
• Feature/docs basic entries by @GaProgMan in #125
• Feature/docs basic entries by @GaProgMan in #126
• Feature/docs basic entries by @GaProgMan in #127
• Feature/docs basic entries by @GaProgMan in #128
• Feature/docs basic entries by @GaProgMan in #129

Full Changelog: v9.1.0...v9.2.0

Summary

At some point recently, the default value for the Strict-Transport-Security (aka HSTS) header was changed from 63072000 (730 days) to 31536000 (365 days). This release fixes that oversight.

What's Changed

• Added .github dir to ignore for action by @GaProgMan in #101
• scorecard.yml updated to latest best-practise by @GaProgMan in #102
• Added warnings as errors to csproj files by @jamie-taylor-rjj in #104
• Initial commit of the Just-The-Docs template files by @GaProgMan in #106
• Fixed URL in config for docs directory by @GaProgMan in #110
• Initial Customisation of docs theme by @GaProgMan in #111
• Fixed location of logo in docs config by @GaProgMan in #112
• Bugfix/docs logo location by @GaProgMan in #113
• Feature/basic docs by @GaProgMan in #114
• Feature/basic docs by @GaProgMan in #115
• Feature/basic docs by @GaProgMan in #116
• Feature/basic docs by @GaProgMan in #117
• Fixed gemfile.lock by @jamie-taylor-rjj in #118
• Very basic documentation files by @GaProgMan in #119
• Feature/docs basic entries by @GaProgMan in #120
• The max-age value used by the default HSTS header is no longer correct by @jamie-taylor-rjj in #121

Full Changelog: v9.0.0...v9.1.0

Summary

As of November 12th, .NET 9 has been RTM'd. This release marks the first version of OwaspHeaders.Core which supports .NET 9.

Please see the .NET support lifecycle documentation for details: https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core#lifecycle

What's Changed

• Removed Support For .NET 6; Added Support For .NET 9 by @jamie-taylor-rjj in #100

Full Changelog: v8.1.3...v9.0.0

Summary

As of November 12th, both .NET 6 is out of support. This release marks the final version of OwaspHeaders.Core which works .NET 6 or .NET 7.

Included in this release is both the NuGet package and symbols package for version 8.1.3 of OwaspHeaders.Core.

Please see the .NET support lifecycle documentation for details: https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core#lifecycle

What's Changed

• Implemented Cross-Origin-Resource-Policy response header by @miguelcrpinto in #86
• Feature/add dotnet format to readme by @jamie-taylor-rjj in #87
• Feature/simplifiy first use by @jamie-taylor-rjj in #89
• Removed references to Moq by @jamie-taylor-rjj in #90
• Version bump by @GaProgMan in #91
• Fixed version bump by @GaProgMan in #92
• Removed support for .NET Framework-based ASP .NET Core applications by @jamie-taylor-rjj in #93
• Feature/add net 8 by @jamie-taylor-rjj in #94
• Improve NuGet package metadata by @swharden in #96
• Enhanced readability of the csproj by @GaProgMan in #97
• GitHub Actions Upgrades by @GaProgMan in #98

New Contributors

• @miguelcrpinto made their first contribution in #86
• @swharden made their first contribution in #96

Full Changelog: v6.1.0...v8.1.3

Summary

This release marks the final version of OwaspHeaders.Core which works with .NET Framework hosted ASP .NET Core 2.2 (or lower) applications.

The library no longer supports .NET Framework hosting situations due to Microsoft having dropped support for them back in the ASP .NET Core 3.0 time frame. Please see the following for details aspnet/Announcements#324