Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump OwaspHeaders.Core from 9.0.1 to 9.7.2 #493

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump OwaspHeaders.Core from 9.0.1 to 9.7.2 #493

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 31, 2024

Bumps OwaspHeaders.Core from 9.0.1 to 9.7.2.

Release notes

Sourced from OwaspHeaders.Core's releases.

Improved memory footprint and execution speed of middleware's Invoke method

By leveraging an in-memory dictionary which we populate on the first run through the Invoke method, we can drastically speed up the execution speed whilst reducing the memory footprint of the middleware class.

Also included are a number of changes to the documentation site.

What's Changed

New Contributors

Full Changelog: GaProgMan/OwaspHeaders.Core@v9.1.0...v9.6.0

Removed X-Powered-By tag

Summary

It's not possible for ASP .NET Core to remove the X-Powered-By header. As such, even though the OWASP Secure Headers project recommends removing it, OwaspHeaders.Core no longer attempts to remove it.

This is because ASP .NET Core cannot remove this header, as it's set at the reverse proxy level. A solution has been provided in the Server Header: A Warning section of the readme and package documentation.

What's Changed

... (truncated)

Changelog

Sourced from OwaspHeaders.Core's changelog.

Changelog

This changelog represents all the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to AppVeyor. Because of this, the releases on the GitHub repo became stale.

TL;DR

Major Version Number Changes
9 Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. A number of small optimisation have been made to the middleware's Invoke method Added support for both Cross-Origin-Opener-Policy (CORP) and Cross-Origin-Embedder-Policy (COEP) headers
8 Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes
7 Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs
6 Removes Expect-CT Header from the list of default headers
5 XSS Protection is now hard-coded to return "0" if enabled
4 Uses builder pattern to create instances of SecureHeadersMiddlewareConfiguration class uses .NET Standard 2.0 Removed XSS Protection header from defaults
3 Uses builder pattern to create instances of SecureHeadersMiddlewareConfiguration class also uses .NET Standard 2.0
2 Uses secureHeaderSettings.json and default config loader to create instances of SecureHeadersMiddlewareConfiguration class also uses .NET Core 2.0
1 Uses secureHeaderSettings.json and default config loader to create instances of SecureHeadersMiddlewareConfiguration class also uses .NET Standard 1.4

Version 9

This version dropped support for .NET 6 and .NET 7, as they are no longer supported by Microsoft. It also added support for .NET 9.

All projects in the GitHub repo now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.

Verison 9.7.x

This version saw the addition of both the Cross-Origin-Opener-Policy (COEP) and Cross-Origin-Embedder-Policy (COEP) headers; bringing the total number of supported headers to 83% complete (or 10 of the 12 recommended headers and values).

Version 9.6.x

This version saw the addition of a number of very small changes to the middleware's Invoke method which aimed to increase efficiency, reduce working memory usage, and increase execution speed.

Version 9.5.x

This version saw the addition of attestation generation on both a per PR-build and Release basis. See the Attestations page of the documentation to read about how you can verify the attestations per build or release.

Version 9.2.x

A number of small optimisations for generating HTTP header values have been made. There are also new Guard clauses in place to protect from a number of null or null/whitespace issues. All using statements have been cleaned up, with a large number placed in relevant global usings files.

BREAKING CHANGE: Removal of the X-Powered-By header has been completely removed in this version. The reason for this is that the X-Powered-By header is included by the reverse proxy, which ASP .NET Core has no control over. See the section in the Readme labelled "Server Header: A Warning" for details on how to remove this header.

Version 9.1.x

The max-age value for the Strict-Transport-Security (HSTS) header was updated to the OWASP recommended value of 31536000 (365 days).

Version 8

This version dropped support for support for ASP .NET Core on .NET Framework workflows. This means that, from version 8 onwards, this package will no longer with with .NET Framework workloads. This decision was made as Microsoft have dropped support for ASP .NET Core on .NET Framework workloads. This can be seen in the ASP .NET Core support documentation here

{: .note }

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump OwaspHeaders.Core from 9.0.1 to 9.7.2
575a0a6 
Bumps [OwaspHeaders.Core](https://github.com/GaProgMan/OwaspHeaders.Core) from 9.0.1 to 9.7.2.
- [Release notes](https://github.com/GaProgMan/OwaspHeaders.Core/releases)
- [Changelog](https://github.com/GaProgMan/OwaspHeaders.Core/blob/main/docs/changelog.md)
- [Commits](https://github.com/GaProgMan/OwaspHeaders.Core/commits)

---
updated-dependencies:
- dependency-name: OwaspHeaders.Core
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependabot PR raised by Dependabot nuget Dependabot change related to Nuget Packages labels Dec 31, 2024
@dependabot dependabot bot mentioned this pull request Dec 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependabot PR raised by Dependabot nuget Dependabot change related to Nuget Packages
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants