Skip to content

v1.0.0
Compare
Choose a tag to compare
@github-actions github-actions released this 01 Apr 20:21
· 6 commits to main since this release
v1.0.0
45ae5d5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Changes in 1.0.0

This marks the first major release of the NetEscapades.AspNetCore.SecurityHeaders. For simplicity, all the changes since 0.24.0 are included below.

Breaking Changes:

  • Drop support for .NET Standard 2.0, raises minimum framework to .NET Core 3.1 #167, #171
  • Removed "document header" functionality, in favour of always adding all headers #186
  • Remove X-XSS-Protection from default headers and mark obsolete #168
  • Add cross-origin-opener-policy: same-origin to default headers #184
  • Mark Feature-Policy as obsolete #187
  • Mark Expect-CT as obsolete #197
  • Make nonce generation lazy on call to HttpContext.GetNonce() #198
  • Remove ambient-light-sensor=() from DefaultSecureDirectives() for permissions policy #203 (Thanks @damienbod!)
  • Update COOP, COEP, and CORP for AddDefaultSecurityHeaders() and AddDefaultApiSecurityHeaders() #204 (Thanks @damienbod)!)
  • Removes obsolete APIs (#217)

Features:

  • Allow configuring "named" policies, and applying different policies to different endpoints #172, #173, #185
  • Allow customizing the HeaderPolicyCollection just before it is applied, customizing per request #174, #185
  • Make adding directives to Content-Security-Policy idempotent to avoid duplicates #169
  • Add AddDefaultApiSecurityHeaders() for adding default headers to APIs #183, #184
  • Add AddPermissionsPolicyWithRecommendedDirectives() and PermissionsPolicyBuilder.AddDefaultSecureDirectives() for adding secure Permissions-Policy directives in bulk #183, #184
  • NetEscapades.AspNetCore.SecurityHeaders now has an icon, thanks @khalidabuhakmeh! #195
  • Allow accessing an IServiceProvider when configuring a SecurityHeaderPolicyBuilder #200
  • Adds support for Trusted Types to Content-Security-Policy (#216, #218)

Build updates:

  • Allow building from forks #232
  • Fix release generation #231, #235, #236
  • Fix recording test results #221
  • Define version in the build project instead #223
  • Generate SBOM #222
  • Generate SBOM attestation #224
  • Generate artifact provenance attestation #225
  • Automatically create releases #229
  • Fix incorrect dependency on obsolete Microsoft.AspNetCore.Mvc.Razor package #205 (Thanks @trejjam)
  • Update documentation #214 (Thanks @schwastek)

Changes from 1.0.0-preview.4 to 1.0.0:

All NuGet packages are available on https://www.nuget.org. You can view the build provenance attestation
for the NuGet packages here.

The Software Bill of Materials (SBOM) is available for each package in CycloneDX format. View the provenance
attestations for the SBOMs here:

Note

You cannot assert the provenance of the .nupkg packages downloaded from nuget.org directly. First, you
must remove the .signature.p7s file, as described here.

Contributors

khalidabuhakmeh, damienbod, and 2 other contributors
Assets 4
Loading