Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump OwaspHeaders.Core from 9.0.1 to 9.3.0 #481

Closed
wants to merge 1 commit into from
Closed

Bump OwaspHeaders.Core from 9.0.1 to 9.3.0 #481

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 3, 2024

Bumps OwaspHeaders.Core from 9.0.1 to 9.3.0.

Release notes

Sourced from OwaspHeaders.Core's releases.

Removed X-Powered-By tag

Summary

It's not possible for ASP .NET Core to remove the X-Powered-By header. As such, even though the OWASP Secure Headers project recommends removing it, OwaspHeaders.Core no longer attempts to remove it.

This is because ASP .NET Core cannot remove this header, as it's set at the reverse proxy level. A solution has been provided in the Server Header: A Warning section of the readme and package documentation.

What's Changed

Full Changelog: GaProgMan/OwaspHeaders.Core@v9.1.0...v9.2.0

Correct max-age value for HSTS header

Summary

At some point recently, the default value for the Strict-Transport-Security (aka HSTS) header was changed from 63072000 (730 days) to 31536000 (365 days). This release fixes that oversight.

What's Changed

Full Changelog: GaProgMan/OwaspHeaders.Core@v9.0.0...v9.1.0

.NET Framework final version

Summary

... (truncated)

Changelog

Sourced from OwaspHeaders.Core's changelog.

title: Changelog layout: page nav_order: 10

Changelog

This changelog represents all of the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to AppVeyor. Because of this, the releases on the GitHub repo became stale.

TL;DR

Major Version Number Changes
9 Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9.
8 Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes
7 Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs
6 Removes Expect-CT Header from the list of default headers
5 XSS Protection is now hard-coded to return "0" if enabled
4 Uses builder pattern to create instances of SecureHeadersMiddlewareConfiguration class uses .NET Standard 2.0 Removed XSS Protection header from defaults
3 Uses builder pattern to create instances of SecureHeadersMiddlewareConfiguration class also uses .NET Standard 2.0
2 Uses secureHeaderSettings.json and default config loader to create instances of SecureHeadersMiddlewareConfiguration class also uses .NET Core 2.0
1 Uses secureHeaderSettings.json and default config loader to create instances of SecureHeadersMiddlewareConfiguration class also uses .NET Standard 1.4

Version 9

This version dropped support for .NET 6 and .NET 7, as they are no longer supported by Microsoft. It also added support for .NET 9.

All projects in the GitHub repo now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.

Version 9.2.x

A number of small optimisations for generating HTTP header values have been made. There are also new Guard clauses in place to protect from a number of null or null/whitespace issues. All using statements have been cleaned up, with a large number placed in relevant global usings files.

BREAKING CHANGE: Removal of the X-Powered-By header has been completely removed in this version. The reason for this is that the X-Powered-By header is included by the reverse proxy, which ASP .NET Core has no control over. See the section in the Readme labelled "Server Header: A Warning" for details on how to remove this header.

Version 9.1.x

The max-age value for the Strict-Transport-Security (HSTS) header was updated to the OWASP recommended value of 31536000 (365 days).

Version 8

This version dropped support for support for ASP .NET Core on .NET Framework workflows. This means that, from version 8 onwards, this package will no longer with with .NET Framework workloads. This decision was made as Microsoft have dropped support for ASP .NET Core on .NET Framework workloads. This can be seen in the ASP .NET Core support documentation here

{: .note }

To help facilitate migrating applications to ASP.NET Core on .NET Core, the specified ASP.NET Core 2.1 packages (latest patched version only) will be supported on the .NET Framework and follow the support cycle for those .NET Framework versions. ASP.NET Core 2.1 is defined as "Tools" in the Microsoft Support Lifecycle Policy

Source: https://dotnet.microsoft.com/en-us/platform/support/policy/aspnet#dotnet-core, obtained Oct 19th, 2024.

The Example and Tests csproj files (and directories) have been renamed to make the standard OwaspHeaders.Core.{x} where {x} is either Example (for the ASP .NET Core application which provides an example implementation) or Tests for the unit tests project.

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump OwaspHeaders.Core from 9.0.1 to 9.3.0
67310ef 
Bumps [OwaspHeaders.Core](https://github.com/GaProgMan/OwaspHeaders.Core) from 9.0.1 to 9.3.0.
- [Release notes](https://github.com/GaProgMan/OwaspHeaders.Core/releases)
- [Changelog](https://github.com/GaProgMan/OwaspHeaders.Core/blob/main/docs/changelog.md)
- [Commits](https://github.com/GaProgMan/OwaspHeaders.Core/commits)

---
updated-dependencies:
- dependency-name: OwaspHeaders.Core
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependabot PR raised by Dependabot nuget Dependabot change related to Nuget Packages labels Dec 3, 2024
@dependabot dependabot bot mentioned this pull request Dec 3, 2024
Closed
@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Dec 4, 2024

Superseded by #483.

@dependabot dependabot bot closed this Dec 4, 2024
@dependabot dependabot bot deleted the dependabot/nuget/OwaspHeaders.Core-9.3.0 branch December 4, 2024 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependabot PR raised by Dependabot nuget Dependabot change related to Nuget Packages
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants