Skip to content

Commit a2ed26f

Browse files
Merge branch 'GaProgMan:main' into bugfix/coep-default-header-value
2 parents 5659251 + b3ea240 commit a2ed26f

3 files changed

Lines changed: 22 additions & 2 deletions

File tree

.github/workflows/pages.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -65,6 +65,9 @@ jobs:
6565
url: ${{ steps.deployment.outputs.page_url }}
6666
runs-on: ubuntu-latest
6767
needs: build
68+
permissions:
69+
pages: write
70+
id-token: write
6871
steps:
6972
- name: Deploy to GitHub Pages
7073
id: deployment

.github/workflows/sync-changelog.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
sync-changelog:
1616
runs-on: ubuntu-latest
1717
name: Sync root changelog to docs changelog
18-
18+
1919
steps:
2020
- name: Checkout code
2121
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

docs/changelog.md

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ This changelog represents all the major (i.e. breaking) changes made to the Owas
1111

1212
| Major Version Number | Changes |
1313
|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
14-
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. <br /> A number of small optimisation have been made to the middleware's `Invoke` method <br /> Added support for both Cross-Origin-Opener-Policy (CORP) and Cross-Origin-Embedder-Policy (COEP) headers <br/> Increased documentation coverage for Content-Security-Policy directive generation |
14+
| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. <br /> A number of small optimisation have been made to the middleware's `Invoke` method <br /> Added support for both Cross-Origin-Opener-Policy (CORP) and Cross-Origin-Embedder-Policy (COEP) headers <br /> Added support for Clear-Site-Data header with path-specific configuration for logout scenarios <br/> Increased documentation coverage for Content-Security-Policy directive generation |
1515
| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes |
1616
| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplified the use of the middleware in Composite Root/Program.cs |
1717
| 6 | Removes Expect-CT Header from the list of default headers |
@@ -27,6 +27,23 @@ This version dropped support for .NET 6 and .NET 7, as they are no longer suppor
2727

2828
All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.
2929

30+
#### Version 9.9.x
31+
32+
This version adds support for the Clear-Site-Data HTTP header, addressing issue #32 and implementing the OWASP Secure Headers Project recommendation. The Clear-Site-Data header instructs browsers to clear client-side data (cache, cookies, storage) for specific paths, which is particularly important for logout endpoints to ensure complete session termination and prevent session hijacking.
33+
34+
**New Features:**
35+
36+
- Clear-Site-Data header support with path-specific configuration
37+
- OWASP recommended default values (`"cache","cookies","storage"`)
38+
- Support for all standard directives: "cache", "cookies", "storage", "executionContexts", and wildcard "*"
39+
- Enum-based type safety with `ClearSiteDataOptions`
40+
- Path-specific customization of which data types to clear
41+
- Integration with existing middleware builder pattern
42+
- Comprehensive documentation and examples for logout scenarios
43+
- Full backward compatibility with existing configurations
44+
45+
See the [Clear-Site-Data documentation](https://gaprogman.github.io/OwaspHeaders.Core/configuration/Clear-Site-Data/) for detailed configuration options and examples.
46+
3047
#### Version 9.8.x
3148

3249
This version introduces comprehensive logging support via the `ILogger<SecureHeadersMiddleware>` interface, following Andrew Lock's high-performance logging best practices. The logging functionality provides visibility into middleware operations, helping developers troubleshoot configuration issues and monitor security header application.

0 commit comments

Comments
 (0)