This changelog represents all of the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to AppVeyor. Because of this, the releases on the GitHub repo became stale.
| Major Version Number | Changes |
|---|---|
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplfied the use of the middleware in Composite Root/Program.cs |
| 6 | Removes Expect-CT Header from the list of default headers |
| 5 | XSS Protection is now hard-coded to return "0" if enabled |
| 4 | Uses builder pattern to create instances of SecureHeadersMiddlewareConfiguration class uses .NET Standard 2.0 Removed XSS Protection header from defaults |
| 3 | Uses builder pattern to create instances of SecureHeadersMiddlewareConfiguration class also uses .NET Standard 2.0 |
| 2 | Uses secureHeaderSettings.json and default config loader to create instances of SecureHeadersMiddlewareConfiguration class also uses .NET Core 2.0 |
| 1 | Uses secureHeaderSettings.json and default config loader to create instances of SecureHeadersMiddlewareConfiguration class also uses .NET Standard 1.4 |
This version makes it simpler to get started with the NuGet package by simplifying the use of it in Program.cs/Composite Root. This, effectively, changes the composite root from:
app.UseSecureHeadersMiddleware(
SecureHeadersMiddlewareExtensions
.BuildDefaultConfiguration()
);to:
app.UseSecureHeadersMiddleware();This version adds the Cross-Origin-Resource-Policy header with the OWASP recommended value "same-origin" to the list of default headers in the BuildDefaultConfiguration() extension method. This was requested via issue #76.
This version removes Expect-CT Header from the list of default headers in the BuildDefaultConfiguration() extension method. This is related to issue #72.
All code which generates the header and it's value are still present, but it is removed from the defaults. Please see the above referenced issue for details.
This version of the repo ensure that the XSS Protection header (which was removed from the list of defaults in Version 4) is simplified down to the only recommended value (i.e. "0"), so that if a consumer enables XSS Protection they will only get the one possible value.
This is related to guidance by MDN and by OWASP:
Warning: The X-XSS-Protection header has been deprecated by modern browsers and its use can introduce additional security issues on the client side. As such, it is recommended to set the header as X-XSS-Protection: 0 in order to disable the XSS Auditor, and not allow it to take the default behavior of the browser handling the response. Please use Content-Security-Policy instead.
This version of the repo removed the XSS Protection Header from the list of default headers in the BuildDefaultConfiguration() extension method. This is related to issue #44.
It was noticed that the server: header was not removed (this is defaulted to server: kestrel when running locally). Removal of this header was added when the RemovePoweredByHeader option (in the SecureHeadersMiddlewareBuilder) was chosen.
It was requested that a Content-Security-Policy-Report-Only header could be added. This header was added in version 4.0.2 of the library.
The beginnings of the Cache-Control header were added via a PR. This PR was sent in via GitHub user mkokabi.
It was pointed out that the Cache-Control header PR was incomplete, and caused production systems to begin caching responses which should not have been cached. This version brings in a configuration for the Cache-Control header which allows the user to add the following directives:
no-cacheno-storemust-revalidate
These directives are added when building the configuration:
return SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseHsts()
.UseXFrameOptions()
.UseContentTypeOptions()
.UseContentDefaultSecurityPolicy()
.UsePermittedCrossDomainPolicies()
.UseReferrerPolicy()
.UseCacheControl() // <- this line
.UseExpectCt(string.Empty, enforce: true)
.RemovePoweredByHeader()
.Build();The above directives are added via bools. For example, in order to add the no-cache header, you need to alter the call to UseCacheControl() to look like UseCacheControl(noCache: true).
This version of the repo removed the dependency on .NET Core 2.0, and replaced it with a dependency on .NET Standard 2.0 (via the netstandard2.0 Target Framework Moniker), and the version of the Microsoft.AspNetCore.Http.Abstractions was upped to version 2.1.1
This version of the repo was also changed to use the Builder Pattern for creating an instance of the SecureHeadersMiddlewareConfiguration class. This decision was taken because the configuration should be a build-time decision, rather than a runtime one. As such, a default builder was created for the SecureHeadersMiddlewareConfiguration class, which could be generated by calling the following:
app.UseSecureHeadersMiddleware(SecureHeadersMiddlewareExtensions.BuildDefaultConfiguration());within the Startup class. This would call the following method:
public static SecureHeadersMiddlewareConfiguration BuildDefaultConfiguration()
{
return SecureHeadersMiddlewareBuilder
.CreateBuilder()
.UseHsts()
.UseXFrameOptions()
.UseXSSProtection()
.UseContentTypeOptions()
.UseContentDefaultSecurityPolicy()
.UsePermittedCrossDomainPolicies()
.UseReferrerPolicy()
.Build();
}The CspCommandType enum was added, and consumed when creating Content Security Policy directives. This greatly simplifies the creation of Content Security policy directives, as the previous versions of the library used hard coded rules to decide whether a CSP rule was a directive (e.g. 'self') or a URL.
Also included where various changes in the placement of semi-colon characters (i.e. ';') within the hard coded string values for certain headers. These are replaced with a single semi-colon which is appended to the header at the very end of rendering it's value.
This version fixed casing based typos to the XFrameOptions enum. It also fixed case based typos in the rendered values for the X-Frame-Options header value (i.e. sameorigin was replaced with SOMEORIGIN)
Added support for removing the X-Powered-By header value. This required the creation of an extension method called TryRemoveHeader, which would return true/false based on whether the header was present and could be removed. This was also added to the default configuration by adding a call to RemovePoweredByHeader() to the default config builder.
This version fixed a typo-based issue which was created during the 3.0.0.3 changes: namely XFrameOptions.Sameorigin was rendering as SOMEORIGIN. This was changed to SAMEORIGIN in this version.
An SVG logo was added to the project, ready to be consumed in the NuSpec file.
Support for the Expect-CT header was added - as per this issue. The addition of this header was exposed via an extension method called UseExpectCt() which can be called when building the configuration object.
Removed the explicit dependency on the Microsoft.AspNetcore.All metapackage - as per this issue. This change required taking a direct dependency on the Microsoft.AspNetCore.Http.Abstractions package (which is what the metapackage was supplying).
This version of the repo continued to use the secureHeaderSettings.json, which was consumed in the Startup class. However, this version of the repo has an explicit dependency on .NET Core 2.0 (it uses the netcoreapp2.0 Target Framework Moniker), and Microsoft.AspNetCore.Http.Abstractions version 2.0.0.
The initial version of the repo relied on the presence of .NET Standard 1.0 and Microsoft.AspNetCore.Http.Abstractions version 1.1.1.
The initial version of the repo used a file called secureHeaderSettings.json which took the following format:
{
"SecureHeadersMiddlewareConfiguration": {
"UseHsts": "true",
"HstsConfiguration": {
"MaxAge": 42,
"IncludeSubDomains": "true"
},
"UseHpkp": "true",
"HPKPConfiguration" :{
"PinSha256" : [
"e927fad33f9eb96126896413502a1034be0ca379dec377fb891feb9ebc720e47"
],
"MaxAge": 3,
"IncludeSubDomains": "true",
"ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
},
"UseXFrameOptions": "true",
"XFrameOptionsConfiguration": {
"OptionValue": "allowfrom",
"AllowFromDomain": "com.gaprogman.dotnetcore"
},
"UseXssProtection": "true",
"XssConfiguration": {
"XssSetting": "oneReport",
"ReportUri": "https://github.com/GaProgMan/OwaspHeaders.Core"
},
"UseXContentTypeOptions": "true",
"UseContentSecurityPolicy": "true",
"ContentSecurityPolicyConfiguration": {
"BlockAllMixedContent": "true",
"UpgradeInsecureRequests": "true"
}
}
}This was read and used to construct an instance of the SecureHeadersMiddlewareConfiguration class (which represented the values used to render the secure headers) at runtime.
The json file containing the configuration was loaded in the Startup class in the following manner:
public Startup(IHostingEnvironment env)
{
var builder = new ConfigurationBuilder()
.SetBasePath(env.ContentRootPath)
.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
.AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true)
.AddJsonFile("secureHeaderSettings.json", optional:true, reloadOnChange: true)
.AddEnvironmentVariables();
Configuration = builder.Build();
}As the code used the default configuration builder, changing the contents of the secureHeaderSettings.json would force the consuming application to reboot. This would mean that requests which were being dealt with could be destroyed, and responses never generated for them.