diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml index 358336e..d5e9f5d 100644 --- a/.github/workflows/dotnet.yml +++ b/.github/workflows/dotnet.yml @@ -43,10 +43,10 @@ jobs: - name: Setup .NET Core uses: actions/setup-dotnet@v4 with: - dotnet-version: '6.0.x' + dotnet-version: '9.0.x' - name: Install dependencies - run: dotnet restore + run: dotnet restore --locked-mode - name: Build run: dotnet build --configuration Release --no-restore diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0e37c4f..d893b08 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,10 +21,10 @@ jobs: - name: Setup .NET Core uses: actions/setup-dotnet@v4 with: - dotnet-version: '6.0.x' + dotnet-version: '9.0.x' - name: Install dependencies - run: dotnet restore + run: dotnet restore --locked-mode - name: Build run: dotnet build --configuration Release --no-restore diff --git a/OwaspHeaders.Core.Example/Controllers/HomeController.cs b/OwaspHeaders.Core.Example/Controllers/HomeController.cs index d940fb6..b31e755 100644 --- a/OwaspHeaders.Core.Example/Controllers/HomeController.cs +++ b/OwaspHeaders.Core.Example/Controllers/HomeController.cs @@ -1,21 +1,16 @@ -using Microsoft.AspNetCore.Mvc; - -namespace OwaspHeaders.Core.Example.Controllers; - -[ApiController] -[Route("/")] -public class HomeController : ControllerBase -{ - private readonly ILogger _logger; - - public HomeController(ILogger logger) - { - _logger = logger; - } - - [HttpGet(Name = "/")] - public IEnumerable Get() - { - return HttpContext.Response.Headers.Select(h => h.ToString()).ToArray(); - } -} +using Microsoft.AspNetCore.Mvc; + +namespace OwaspHeaders.Core.Example.Controllers; + +[ApiController] +[Route("/")] +public class HomeController(ILogger logger) : ControllerBase +{ + private readonly ILogger _logger = logger; + +[HttpGet(Name = "/")] +public IEnumerable Get() +{ + return HttpContext.Response.Headers.Select(h => h.ToString()).ToArray(); +} +} diff --git a/OwaspHeaders.Core.Example/OwaspHeaders.Core.Example.csproj b/OwaspHeaders.Core.Example/OwaspHeaders.Core.Example.csproj index 110993a..e02aaac 100644 --- a/OwaspHeaders.Core.Example/OwaspHeaders.Core.Example.csproj +++ b/OwaspHeaders.Core.Example/OwaspHeaders.Core.Example.csproj @@ -1,15 +1,19 @@ - - - - net6.0 - enable - enable - - - - - - - - - + + + + net8.0;net9.0 + enable + enable + true + + + + + + + + + + + + diff --git a/OwaspHeaders.Core.Example/Program.cs b/OwaspHeaders.Core.Example/Program.cs index 4ed2a19..f484384 100644 --- a/OwaspHeaders.Core.Example/Program.cs +++ b/OwaspHeaders.Core.Example/Program.cs @@ -1,29 +1,29 @@ -using OwaspHeaders.Core.Extensions; - -var builder = WebApplication.CreateBuilder(args); - -// Add services to the container. - -builder.Services.AddControllers(); -// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle -builder.Services.AddEndpointsApiExplorer(); -builder.Services.AddSwaggerGen(); - -var app = builder.Build(); - -// Configure the HTTP request pipeline. -if (app.Environment.IsDevelopment()) -{ - app.UseSwagger(); - app.UseSwaggerUI(); -} - -app.UseHttpsRedirection(); - -app.UseAuthorization(); - -app.UseSecureHeadersMiddleware(); - -app.MapControllers(); - -app.Run(); +using OwaspHeaders.Core.Extensions; + +var builder = WebApplication.CreateBuilder(args); + +// Add services to the container. + +builder.Services.AddControllers(); +// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle +builder.Services.AddEndpointsApiExplorer(); +builder.Services.AddSwaggerGen(); + +var app = builder.Build(); + +// Configure the HTTP request pipeline. +if (app.Environment.IsDevelopment()) +{ + app.UseSwagger(); + app.UseSwaggerUI(); +} + +app.UseHttpsRedirection(); + +app.UseAuthorization(); + +app.UseSecureHeadersMiddleware(); + +app.MapControllers(); + +app.Run(); diff --git a/OwaspHeaders.Core.Example/Properties/launchSettings.json b/OwaspHeaders.Core.Example/Properties/launchSettings.json index a8bac65..97b8bf2 100644 --- a/OwaspHeaders.Core.Example/Properties/launchSettings.json +++ b/OwaspHeaders.Core.Example/Properties/launchSettings.json @@ -1,31 +1,41 @@ -{ - "$schema": "https://json.schemastore.org/launchsettings.json", - "iisSettings": { - "windowsAuthentication": false, - "anonymousAuthentication": true, - "iisExpress": { - "applicationUrl": "http://localhost:24885", - "sslPort": 44362 - } - }, - "profiles": { - "example": { - "commandName": "Project", - "dotnetRunMessages": true, - "launchBrowser": true, - "launchUrl": "swagger", - "applicationUrl": "https://localhost:7001;http://localhost:5265", - "environmentVariables": { - "ASPNETCORE_ENVIRONMENT": "Development" - } - }, - "IIS Express": { - "commandName": "IISExpress", - "launchBrowser": true, - "launchUrl": "swagger", - "environmentVariables": { - "ASPNETCORE_ENVIRONMENT": "Development" - } - } - } -} +{ + "$schema": "https://json.schemastore.org/launchsettings.json", + "iisSettings": { + "windowsAuthentication": false, + "anonymousAuthentication": true, + "iisExpress": { + "applicationUrl": "http://localhost:39531", + "sslPort": 44308 + } + }, + "profiles": { + "http": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": true, + "launchUrl": "swagger", + "applicationUrl": "http://localhost:5231", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "https": { + "commandName": "Project", + "dotnetRunMessages": true, + "launchBrowser": true, + "launchUrl": "swagger", + "applicationUrl": "https://localhost:7090;http://localhost:5231", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + }, + "IIS Express": { + "commandName": "IISExpress", + "launchBrowser": true, + "launchUrl": "swagger", + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + } + } + } +} diff --git a/OwaspHeaders.Core.Example/appsettings.Development.json b/OwaspHeaders.Core.Example/appsettings.Development.json index ff66ba6..0c208ae 100644 --- a/OwaspHeaders.Core.Example/appsettings.Development.json +++ b/OwaspHeaders.Core.Example/appsettings.Development.json @@ -1,8 +1,8 @@ -{ - "Logging": { - "LogLevel": { - "Default": "Information", - "Microsoft.AspNetCore": "Warning" - } - } -} +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + } +} diff --git a/OwaspHeaders.Core.Example/appsettings.json b/OwaspHeaders.Core.Example/appsettings.json index 4d56694..10f68b8 100644 --- a/OwaspHeaders.Core.Example/appsettings.json +++ b/OwaspHeaders.Core.Example/appsettings.json @@ -1,9 +1,9 @@ -{ - "Logging": { - "LogLevel": { - "Default": "Information", - "Microsoft.AspNetCore": "Warning" - } - }, - "AllowedHosts": "*" -} +{ + "Logging": { + "LogLevel": { + "Default": "Information", + "Microsoft.AspNetCore": "Warning" + } + }, + "AllowedHosts": "*" +} diff --git a/OwaspHeaders.Core.Example/packages.lock.json b/OwaspHeaders.Core.Example/packages.lock.json new file mode 100644 index 0000000..f66d5a1 --- /dev/null +++ b/OwaspHeaders.Core.Example/packages.lock.json @@ -0,0 +1,119 @@ +{ + "version": 1, + "dependencies": { + "net8.0": { + "Microsoft.AspNetCore.OpenApi": { + "type": "Direct", + "requested": "[7.0.0, )", + "resolved": "7.0.0", + "contentHash": "P1mkNhZ3IwU3phNLIUkgqVXb1exnooTalIYwpSON3oKKkcRtACDgS4WpO+xnwFw4KzV0bmgkUqB3acXxIefvvg==", + "dependencies": { + "Microsoft.OpenApi": "1.4.3" + } + }, + "Swashbuckle.AspNetCore": { + "type": "Direct", + "requested": "[6.4.0, )", + "resolved": "6.4.0", + "contentHash": "eUBr4TW0up6oKDA5Xwkul289uqSMgY0xGN4pnbOIBqCcN9VKGGaPvHX3vWaG/hvocfGDP+MGzMA0bBBKz2fkmQ==", + "dependencies": { + "Microsoft.Extensions.ApiDescription.Server": "6.0.5", + "Swashbuckle.AspNetCore.Swagger": "6.4.0", + "Swashbuckle.AspNetCore.SwaggerGen": "6.4.0", + "Swashbuckle.AspNetCore.SwaggerUI": "6.4.0" + } + }, + "Microsoft.Extensions.ApiDescription.Server": { + "type": "Transitive", + "resolved": "6.0.5", + "contentHash": "Ckb5EDBUNJdFWyajfXzUIMRkhf52fHZOQuuZg/oiu8y7zDCVwD0iHhew6MnThjHmevanpxL3f5ci2TtHQEN6bw==" + }, + "Microsoft.OpenApi": { + "type": "Transitive", + "resolved": "1.4.3", + "contentHash": "rURwggB+QZYcSVbDr7HSdhw/FELvMlriW10OeOzjPT7pstefMo7IThhtNtDudxbXhW+lj0NfX72Ka5EDsG8x6w==" + }, + "Swashbuckle.AspNetCore.Swagger": { + "type": "Transitive", + "resolved": "6.4.0", + "contentHash": "nl4SBgGM+cmthUcpwO/w1lUjevdDHAqRvfUoe4Xp/Uvuzt9mzGUwyFCqa3ODBAcZYBiFoKvrYwz0rabslJvSmQ==", + "dependencies": { + "Microsoft.OpenApi": "1.2.3" + } + }, + "Swashbuckle.AspNetCore.SwaggerGen": { + "type": "Transitive", + "resolved": "6.4.0", + "contentHash": "lXhcUBVqKrPFAQF7e/ZeDfb5PMgE8n5t6L5B6/BQSpiwxgHzmBcx8Msu42zLYFTvR5PIqE9Q9lZvSQAcwCxJjw==", + "dependencies": { + "Swashbuckle.AspNetCore.Swagger": "6.4.0" + } + }, + "Swashbuckle.AspNetCore.SwaggerUI": { + "type": "Transitive", + "resolved": "6.4.0", + "contentHash": "1Hh3atb3pi8c+v7n4/3N80Jj8RvLOXgWxzix6w3OZhB7zBGRwsy7FWr4e3hwgPweSBpwfElqj4V4nkjYabH9nQ==" + }, + "owaspheaders.core": { + "type": "Project" + } + }, + "net9.0": { + "Microsoft.AspNetCore.OpenApi": { + "type": "Direct", + "requested": "[7.0.0, )", + "resolved": "7.0.0", + "contentHash": "P1mkNhZ3IwU3phNLIUkgqVXb1exnooTalIYwpSON3oKKkcRtACDgS4WpO+xnwFw4KzV0bmgkUqB3acXxIefvvg==", + "dependencies": { + "Microsoft.OpenApi": "1.4.3" + } + }, + "Swashbuckle.AspNetCore": { + "type": "Direct", + "requested": "[6.4.0, )", + "resolved": "6.4.0", + "contentHash": "eUBr4TW0up6oKDA5Xwkul289uqSMgY0xGN4pnbOIBqCcN9VKGGaPvHX3vWaG/hvocfGDP+MGzMA0bBBKz2fkmQ==", + "dependencies": { + "Microsoft.Extensions.ApiDescription.Server": "6.0.5", + "Swashbuckle.AspNetCore.Swagger": "6.4.0", + "Swashbuckle.AspNetCore.SwaggerGen": "6.4.0", + "Swashbuckle.AspNetCore.SwaggerUI": "6.4.0" + } + }, + "Microsoft.Extensions.ApiDescription.Server": { + "type": "Transitive", + "resolved": "6.0.5", + "contentHash": "Ckb5EDBUNJdFWyajfXzUIMRkhf52fHZOQuuZg/oiu8y7zDCVwD0iHhew6MnThjHmevanpxL3f5ci2TtHQEN6bw==" + }, + "Microsoft.OpenApi": { + "type": "Transitive", + "resolved": "1.4.3", + "contentHash": "rURwggB+QZYcSVbDr7HSdhw/FELvMlriW10OeOzjPT7pstefMo7IThhtNtDudxbXhW+lj0NfX72Ka5EDsG8x6w==" + }, + "Swashbuckle.AspNetCore.Swagger": { + "type": "Transitive", + "resolved": "6.4.0", + "contentHash": "nl4SBgGM+cmthUcpwO/w1lUjevdDHAqRvfUoe4Xp/Uvuzt9mzGUwyFCqa3ODBAcZYBiFoKvrYwz0rabslJvSmQ==", + "dependencies": { + "Microsoft.OpenApi": "1.2.3" + } + }, + "Swashbuckle.AspNetCore.SwaggerGen": { + "type": "Transitive", + "resolved": "6.4.0", + "contentHash": "lXhcUBVqKrPFAQF7e/ZeDfb5PMgE8n5t6L5B6/BQSpiwxgHzmBcx8Msu42zLYFTvR5PIqE9Q9lZvSQAcwCxJjw==", + "dependencies": { + "Swashbuckle.AspNetCore.Swagger": "6.4.0" + } + }, + "Swashbuckle.AspNetCore.SwaggerUI": { + "type": "Transitive", + "resolved": "6.4.0", + "contentHash": "1Hh3atb3pi8c+v7n4/3N80Jj8RvLOXgWxzix6w3OZhB7zBGRwsy7FWr4e3hwgPweSBpwfElqj4V4nkjYabH9nQ==" + }, + "owaspheaders.core": { + "type": "Project" + } + } + } +} \ No newline at end of file diff --git a/OwaspHeaders.Core.Tests/OwaspHeaders.Core.Tests.csproj b/OwaspHeaders.Core.Tests/OwaspHeaders.Core.Tests.csproj index 090259f..d57417b 100644 --- a/OwaspHeaders.Core.Tests/OwaspHeaders.Core.Tests.csproj +++ b/OwaspHeaders.Core.Tests/OwaspHeaders.Core.Tests.csproj @@ -1,15 +1,18 @@  + A Unit Test project (using xunit) for the OwaspHeaders.Core project - 8.0.0 + 9.0.0 Jamie Taylor OwaspHeaders.Core.Tests - net6.0;net7.0;net8.0 + net8.0;net9.0 + true + - - - + + + all runtime; build; native; contentfiles; analyzers @@ -17,8 +20,10 @@ + - + + \ No newline at end of file diff --git a/OwaspHeaders.Core.Tests/packages.lock.json b/OwaspHeaders.Core.Tests/packages.lock.json new file mode 100644 index 0000000..2da5e42 --- /dev/null +++ b/OwaspHeaders.Core.Tests/packages.lock.json @@ -0,0 +1,213 @@ +{ + "version": 1, + "dependencies": { + "net8.0": { + "Microsoft.NET.Test.Sdk": { + "type": "Direct", + "requested": "[17.12.0, )", + "resolved": "17.12.0", + "contentHash": "kt/PKBZ91rFCWxVIJZSgVLk+YR+4KxTuHf799ho8WNiK5ZQpJNAEZCAWX86vcKrs+DiYjiibpYKdGZP6+/N17w==", + "dependencies": { + "Microsoft.CodeCoverage": "17.12.0", + "Microsoft.TestPlatform.TestHost": "17.12.0" + } + }, + "xunit": { + "type": "Direct", + "requested": "[2.9.2, )", + "resolved": "2.9.2", + "contentHash": "7LhFS2N9Z6Xgg8aE5lY95cneYivRMfRI8v+4PATa4S64D5Z/Plkg0qa8dTRHSiGRgVZ/CL2gEfJDE5AUhOX+2Q==", + "dependencies": { + "xunit.analyzers": "1.16.0", + "xunit.assert": "2.9.2", + "xunit.core": "[2.9.2]" + } + }, + "xunit.runner.visualstudio": { + "type": "Direct", + "requested": "[2.8.2, )", + "resolved": "2.8.2", + "contentHash": "vm1tbfXhFmjFMUmS4M0J0ASXz3/U5XvXBa6DOQUL3fEz4Vt6YPhv+ESCarx6M6D+9kJkJYZKCNvJMas1+nVfmQ==" + }, + "Microsoft.CodeCoverage": { + "type": "Transitive", + "resolved": "17.12.0", + "contentHash": "4svMznBd5JM21JIG2xZKGNanAHNXplxf/kQDFfLHXQ3OnpJkayRK/TjacFjA+EYmoyuNXHo/sOETEfcYtAzIrA==" + }, + "Microsoft.TestPlatform.ObjectModel": { + "type": "Transitive", + "resolved": "17.12.0", + "contentHash": "TDqkTKLfQuAaPcEb3pDDWnh7b3SyZF+/W9OZvWFp6eJCIiiYFdSB6taE2I6tWrFw5ywhzOb6sreoGJTI6m3rSQ==", + "dependencies": { + "System.Reflection.Metadata": "1.6.0" + } + }, + "Microsoft.TestPlatform.TestHost": { + "type": "Transitive", + "resolved": "17.12.0", + "contentHash": "MiPEJQNyADfwZ4pJNpQex+t9/jOClBGMiCiVVFuELCMSX2nmNfvUor3uFVxNNCg30uxDP8JDYfPnMXQzsfzYyg==", + "dependencies": { + "Microsoft.TestPlatform.ObjectModel": "17.12.0", + "Newtonsoft.Json": "13.0.1" + } + }, + "Newtonsoft.Json": { + "type": "Transitive", + "resolved": "13.0.1", + "contentHash": "ppPFpBcvxdsfUonNcvITKqLl3bqxWbDCZIzDWHzjpdAHRFfZe0Dw9HmA0+za13IdyrgJwpkDTDA9fHaxOrt20A==" + }, + "System.Reflection.Metadata": { + "type": "Transitive", + "resolved": "1.6.0", + "contentHash": "COC1aiAJjCoA5GBF+QKL2uLqEBew4JsCkQmoHKbN3TlOZKa2fKLz5CpiRQKDz0RsAOEGsVKqOD5bomsXq/4STQ==" + }, + "xunit.abstractions": { + "type": "Transitive", + "resolved": "2.0.3", + "contentHash": "pot1I4YOxlWjIb5jmwvvQNbTrZ3lJQ+jUGkGjWE3hEFM0l5gOnBWS+H3qsex68s5cO52g+44vpGzhAt+42vwKg==" + }, + "xunit.analyzers": { + "type": "Transitive", + "resolved": "1.16.0", + "contentHash": "hptYM7vGr46GUIgZt21YHO4rfuBAQS2eINbFo16CV/Dqq+24Tp+P5gDCACu1AbFfW4Sp/WRfDPSK8fmUUb8s0Q==" + }, + "xunit.assert": { + "type": "Transitive", + "resolved": "2.9.2", + "contentHash": "QkNBAQG4pa66cholm28AxijBjrmki98/vsEh4Sx5iplzotvPgpiotcxqJQMRC8d7RV7nIT8ozh97957hDnZwsQ==" + }, + "xunit.core": { + "type": "Transitive", + "resolved": "2.9.2", + "contentHash": "O6RrNSdmZ0xgEn5kT927PNwog5vxTtKrWMihhhrT0Sg9jQ7iBDciYOwzBgP2krBEk5/GBXI18R1lKvmnxGcb4w==", + "dependencies": { + "xunit.extensibility.core": "[2.9.2]", + "xunit.extensibility.execution": "[2.9.2]" + } + }, + "xunit.extensibility.core": { + "type": "Transitive", + "resolved": "2.9.2", + "contentHash": "Ol+KlBJz1x8BrdnhN2DeOuLrr1I/cTwtHCggL9BvYqFuVd/TUSzxNT5O0NxCIXth30bsKxgMfdqLTcORtM52yQ==", + "dependencies": { + "xunit.abstractions": "2.0.3" + } + }, + "xunit.extensibility.execution": { + "type": "Transitive", + "resolved": "2.9.2", + "contentHash": "rKMpq4GsIUIJibXuZoZ8lYp5EpROlnYaRpwu9Zr0sRZXE7JqJfEEbCsUriZqB+ByXCLFBJyjkTRULMdC+U566g==", + "dependencies": { + "xunit.extensibility.core": "[2.9.2]" + } + }, + "owaspheaders.core": { + "type": "Project" + } + }, + "net9.0": { + "Microsoft.NET.Test.Sdk": { + "type": "Direct", + "requested": "[17.12.0, )", + "resolved": "17.12.0", + "contentHash": "kt/PKBZ91rFCWxVIJZSgVLk+YR+4KxTuHf799ho8WNiK5ZQpJNAEZCAWX86vcKrs+DiYjiibpYKdGZP6+/N17w==", + "dependencies": { + "Microsoft.CodeCoverage": "17.12.0", + "Microsoft.TestPlatform.TestHost": "17.12.0" + } + }, + "xunit": { + "type": "Direct", + "requested": "[2.9.2, )", + "resolved": "2.9.2", + "contentHash": "7LhFS2N9Z6Xgg8aE5lY95cneYivRMfRI8v+4PATa4S64D5Z/Plkg0qa8dTRHSiGRgVZ/CL2gEfJDE5AUhOX+2Q==", + "dependencies": { + "xunit.analyzers": "1.16.0", + "xunit.assert": "2.9.2", + "xunit.core": "[2.9.2]" + } + }, + "xunit.runner.visualstudio": { + "type": "Direct", + "requested": "[2.8.2, )", + "resolved": "2.8.2", + "contentHash": "vm1tbfXhFmjFMUmS4M0J0ASXz3/U5XvXBa6DOQUL3fEz4Vt6YPhv+ESCarx6M6D+9kJkJYZKCNvJMas1+nVfmQ==" + }, + "Microsoft.CodeCoverage": { + "type": "Transitive", + "resolved": "17.12.0", + "contentHash": "4svMznBd5JM21JIG2xZKGNanAHNXplxf/kQDFfLHXQ3OnpJkayRK/TjacFjA+EYmoyuNXHo/sOETEfcYtAzIrA==" + }, + "Microsoft.TestPlatform.ObjectModel": { + "type": "Transitive", + "resolved": "17.12.0", + "contentHash": "TDqkTKLfQuAaPcEb3pDDWnh7b3SyZF+/W9OZvWFp6eJCIiiYFdSB6taE2I6tWrFw5ywhzOb6sreoGJTI6m3rSQ==", + "dependencies": { + "System.Reflection.Metadata": "1.6.0" + } + }, + "Microsoft.TestPlatform.TestHost": { + "type": "Transitive", + "resolved": "17.12.0", + "contentHash": "MiPEJQNyADfwZ4pJNpQex+t9/jOClBGMiCiVVFuELCMSX2nmNfvUor3uFVxNNCg30uxDP8JDYfPnMXQzsfzYyg==", + "dependencies": { + "Microsoft.TestPlatform.ObjectModel": "17.12.0", + "Newtonsoft.Json": "13.0.1" + } + }, + "Newtonsoft.Json": { + "type": "Transitive", + "resolved": "13.0.1", + "contentHash": "ppPFpBcvxdsfUonNcvITKqLl3bqxWbDCZIzDWHzjpdAHRFfZe0Dw9HmA0+za13IdyrgJwpkDTDA9fHaxOrt20A==" + }, + "System.Reflection.Metadata": { + "type": "Transitive", + "resolved": "1.6.0", + "contentHash": "COC1aiAJjCoA5GBF+QKL2uLqEBew4JsCkQmoHKbN3TlOZKa2fKLz5CpiRQKDz0RsAOEGsVKqOD5bomsXq/4STQ==" + }, + "xunit.abstractions": { + "type": "Transitive", + "resolved": "2.0.3", + "contentHash": "pot1I4YOxlWjIb5jmwvvQNbTrZ3lJQ+jUGkGjWE3hEFM0l5gOnBWS+H3qsex68s5cO52g+44vpGzhAt+42vwKg==" + }, + "xunit.analyzers": { + "type": "Transitive", + "resolved": "1.16.0", + "contentHash": "hptYM7vGr46GUIgZt21YHO4rfuBAQS2eINbFo16CV/Dqq+24Tp+P5gDCACu1AbFfW4Sp/WRfDPSK8fmUUb8s0Q==" + }, + "xunit.assert": { + "type": "Transitive", + "resolved": "2.9.2", + "contentHash": "QkNBAQG4pa66cholm28AxijBjrmki98/vsEh4Sx5iplzotvPgpiotcxqJQMRC8d7RV7nIT8ozh97957hDnZwsQ==" + }, + "xunit.core": { + "type": "Transitive", + "resolved": "2.9.2", + "contentHash": "O6RrNSdmZ0xgEn5kT927PNwog5vxTtKrWMihhhrT0Sg9jQ7iBDciYOwzBgP2krBEk5/GBXI18R1lKvmnxGcb4w==", + "dependencies": { + "xunit.extensibility.core": "[2.9.2]", + "xunit.extensibility.execution": "[2.9.2]" + } + }, + "xunit.extensibility.core": { + "type": "Transitive", + "resolved": "2.9.2", + "contentHash": "Ol+KlBJz1x8BrdnhN2DeOuLrr1I/cTwtHCggL9BvYqFuVd/TUSzxNT5O0NxCIXth30bsKxgMfdqLTcORtM52yQ==", + "dependencies": { + "xunit.abstractions": "2.0.3" + } + }, + "xunit.extensibility.execution": { + "type": "Transitive", + "resolved": "2.9.2", + "contentHash": "rKMpq4GsIUIJibXuZoZ8lYp5EpROlnYaRpwu9Zr0sRZXE7JqJfEEbCsUriZqB+ByXCLFBJyjkTRULMdC+U566g==", + "dependencies": { + "xunit.extensibility.core": "[2.9.2]" + } + }, + "owaspheaders.core": { + "type": "Project" + } + } + } +} \ No newline at end of file diff --git a/OwaspHeaders.Core.sln b/OwaspHeaders.Core.sln index e26ed5c..e818e64 100644 --- a/OwaspHeaders.Core.sln +++ b/OwaspHeaders.Core.sln @@ -6,7 +6,7 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "OwaspHeaders.Core", "src\Ow EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "OwaspHeaders.Core.Tests", "OwaspHeaders.Core.Tests\OwaspHeaders.Core.Tests.csproj", "{E5626AB0-703E-46F8-92DC-B525D4CEC4E3}" EndProject -Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "OwaspHeaders.Core.Example", "OwaspHeaders.Core.Example\OwaspHeaders.Core.Example.csproj", "{C70B4E0F-87B6-4681-8B49-7A4956AB86B1}" +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "OwaspHeaders.Core.Example", "OwaspHeaders.Core.Example\OwaspHeaders.Core.Example.csproj", "{8D3C719A-74EE-40D9-B78A-DCD189E88D5E}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution @@ -25,9 +25,9 @@ Global {E5626AB0-703E-46F8-92DC-B525D4CEC4E3}.Debug|Any CPU.Build.0 = Debug|Any CPU {E5626AB0-703E-46F8-92DC-B525D4CEC4E3}.Release|Any CPU.ActiveCfg = Release|Any CPU {E5626AB0-703E-46F8-92DC-B525D4CEC4E3}.Release|Any CPU.Build.0 = Release|Any CPU - {C70B4E0F-87B6-4681-8B49-7A4956AB86B1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {C70B4E0F-87B6-4681-8B49-7A4956AB86B1}.Debug|Any CPU.Build.0 = Debug|Any CPU - {C70B4E0F-87B6-4681-8B49-7A4956AB86B1}.Release|Any CPU.ActiveCfg = Release|Any CPU - {C70B4E0F-87B6-4681-8B49-7A4956AB86B1}.Release|Any CPU.Build.0 = Release|Any CPU + {8D3C719A-74EE-40D9-B78A-DCD189E88D5E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {8D3C719A-74EE-40D9-B78A-DCD189E88D5E}.Debug|Any CPU.Build.0 = Debug|Any CPU + {8D3C719A-74EE-40D9-B78A-DCD189E88D5E}.Release|Any CPU.ActiveCfg = Release|Any CPU + {8D3C719A-74EE-40D9-B78A-DCD189E88D5E}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection EndGlobal diff --git a/README-NuGet.md b/README-NuGet.md index 481a140..2df7aba 100644 --- a/README-NuGet.md +++ b/README-NuGet.md @@ -20,7 +20,7 @@ Example: dotnet add package OwaspHeaders.Core ``` -3. Alter the Startup (pre .NET 6) or program (post .NET 6) class to include the following: +3. Alter the program.cs file to include the following: ```csharp app.UseSecureHeadersMiddleware(); @@ -28,17 +28,18 @@ app.UseSecureHeadersMiddleware(); This will add a number of default HTTP headers to all responses from your server component. -The following is an example of the response headers from version 6.0.2 (taken on May 15th, 2023) - -``` plaintext -cache-control: max-age=31536000, private -strict-transport-security: max-age=63072000;includeSubDomains -x-frame-options: DENY -x-xss-protection: 0 -x-content-type-options: nosniff -content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests; -x-permitted-cross-domain-policies: none; -referrer-policy: no-referrer +The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024) + +```plaintext + cache-control: max-age=31536000,private + content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests; + cross-origin-resource-policy: same-origin + referrer-policy: no-referrer + strict-transport-security: max-age=63072000;includeSubDomains + x-content-type-options: nosniff + x-frame-options: DENY + x-permitted-cross-domain-policies: none; + x-xss-protection: 0 ``` Please note: The above example contains only the headers added by the Middleware. diff --git a/README.md b/README.md index 17f2d71..6e8575a 100644 --- a/README.md +++ b/README.md @@ -11,9 +11,8 @@ Please note: this middleware **DOES NOT SUPPORT BLAZOR OR WEBASSEMBLY APPLICATIO ## Tools Required to Build This Repo - .NET SDKs vLatest - - 6.0 - - 7.0 - 8.0 + - 9.0 - an IDE (VS Code, Rider, or Visual Studio) - [dotnet-format](https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-format) global tool. @@ -35,7 +34,7 @@ Assuming that you have an ASP .NET Core project, add the NuGet package: dotnet add package OwaspHeaders.Core ``` -Alter the Startup (pre .NET 6) or program (post .NET 6) class to include the following: +Alter the program.cs file to include the following: ```csharp app.UseSecureHeadersMiddleware(); @@ -43,17 +42,18 @@ app.UseSecureHeadersMiddleware(); This will add a number of default HTTP headers to all responses from your server component. -The following is an example of the response headers from version 6.0.2 (taken on May 15th, 2023) +The following is an example of the response headers from version 9.0.0 (taken on November 19th, 2024) ```plaintext -cache-control: max-age=31536000, private -strict-transport-security: max-age=63072000;includeSubDomains -x-frame-options: DENY -x-xss-protection: 0 -x-content-type-options: nosniff -content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests; -x-permitted-cross-domain-policies: none; -referrer-policy: no-referrer + cache-control: max-age=31536000,private + content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests; + cross-origin-resource-policy: same-origin + referrer-policy: no-referrer + strict-transport-security: max-age=63072000;includeSubDomains + x-content-type-options: nosniff + x-frame-options: DENY + x-permitted-cross-domain-policies: none; + x-xss-protection: 0 ``` Please note: The above example contains only the headers added by the Middleware. @@ -68,7 +68,7 @@ Listing and commenting on the default values that this middleware provides is ou This Middleware uses the builder pattern to set up the header information, which is a compile time dependency. -In your `Startup` class (or `Program.cs` for .NET 6 onwards): +In your `Program.cs` file: https://github.com/GaProgMan/OwaspHeaders.Core/blob/433cbb764956e86b80b598c5d0760bdfdef28161/example/Program.cs#L26 diff --git a/changelog.md b/changelog.md index 54a95c7..d7b7407 100644 --- a/changelog.md +++ b/changelog.md @@ -5,15 +5,22 @@ This changelog represents all of the major (i.e. breaking) changes made to the O ## TL;DR | Major Version Number | Changes | -|---|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes | -| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplfied the use of the middleware in Composite Root/Program.cs | -| 6 | Removes Expect-CT Header from the list of default headers | -| 5 | XSS Protection is now hard-coded to return "0" if enabled | -| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class
uses .NET Standard 2.0
Removed XSS Protection header from defaults | -| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class
also uses .NET Standard 2.0 | -| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class
also uses .NET Core 2.0 | -| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class
also uses .NET Standard 1.4 | +|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 9 | Removed support for both .NET 6 and .NET 7 as these are no longer supported by Microsoft. It also adds support for .NET 9. | +| 8 | Removed support for ASP .NET Core on .NET Framework workflows; example and test projects now have OwaspHeaders.Core prefix, re-architected some of the test classes | +| 7 | Added Cross-Origin-Resource-Policy header to list of defaults; simplfied the use of the middleware in Composite Root/Program.cs | +| 6 | Removes Expect-CT Header from the list of default headers | +| 5 | XSS Protection is now hard-coded to return "0" if enabled | +| 4 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class
uses .NET Standard 2.0
Removed XSS Protection header from defaults | +| 3 | Uses builder pattern to create instances of `SecureHeadersMiddlewareConfiguration` class
also uses .NET Standard 2.0 | +| 2 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class
also uses .NET Core 2.0 | +| 1 | Uses `secureHeaderSettings.json` and default config loader to create instances of `SecureHeadersMiddlewareConfiguration` class
also uses .NET Standard 1.4 | + +### Version 9 + +This version dropped support for .NET 6 and .NET 7, as they are no longer supported by Microsoft. It also added support for .NET 9. + +All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package. ### Version 8 diff --git a/documentation.md b/documentation.md index d4156e9..6b64777 100644 --- a/documentation.md +++ b/documentation.md @@ -23,9 +23,9 @@ For both versions 1.x and 2.x, a `secureHeaderSettings.json` file was used. Howe Please see the following sections for how to configure the OwaspHeaders.Core middlware. -### Configuration in Version 3.x +### Configuration since Version 3.x -Version 3.x of OwaspHaders.Core no longer uses the `secureHeaderSettings.json` file as this is a runtime dependency. It now uses the builder pattern to set up the header information, which is a compile time dependency. +Version 3.x and higher of OwaspHaders.Core no longer uses the `secureHeaderSettings.json` file as this is a runtime dependency. It now uses the builder pattern to set up the header information, which is a compile time dependency. In your `Startup` class, add a using statement for the OwaspHeaders.Core middleware diff --git a/src/OwaspHeaders.Core.csproj b/src/OwaspHeaders.Core.csproj index 48c538f..1e07b5a 100644 --- a/src/OwaspHeaders.Core.csproj +++ b/src/OwaspHeaders.Core.csproj @@ -2,13 +2,12 @@ - net6.0;net7.0;net8.0 + net8.0;net9.0 OwaspHeaders.Core - 6.0.0 OwaspHeaders.Core - 8.1.3 + 9.0.0 Jamie Taylor RJJ Software Ltd MIT @@ -22,6 +21,7 @@ true true snupkg + true true @@ -37,6 +37,7 @@ + diff --git a/src/packages.lock.json b/src/packages.lock.json new file mode 100644 index 0000000..ef181b7 --- /dev/null +++ b/src/packages.lock.json @@ -0,0 +1,7 @@ +{ + "version": 1, + "dependencies": { + "net8.0": {}, + "net9.0": {} + } +} \ No newline at end of file