From 96cdaacd0d8d728b871efef5644cfbb102baea97 Mon Sep 17 00:00:00 2001
From: Jamie Taylor <60719058+jamie-taylor-rjj@users.noreply.github.com>
Date: Fri, 27 Dec 2024 02:24:55 +0000
Subject: [PATCH] Added section to index about the list of supported headers
 (#156)

---
 docs/index.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/docs/index.md b/docs/index.md
index 7fc6756..786f295 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -72,6 +72,32 @@ The above example contains only the headers added by the Middleware.
 
 For a more detailed explanation of how to use the middleware, including how to configure it, see [Configuration](./configuration).
 
+## Included Headers
+
+This project is a work-in-progress, and headers will be added inline with Owasp recommendations. PRs are welcome, and you can read about how to contribute [here](./Contributing).
+
+The following list displays the status of all the current (as of Dec 27th, 2024) recommended headers:
+
+- [ :white_check_mark: ] Strict-Transport-Security 
+- [ :white_check_mark: ] X-Frame-Options
+- [ :white_check_mark: ] X-Content-Type-Options
+- [ :white_check_mark: ] Content-Security-Policy
+- [ :white_check_mark: ] X-Permitted-Cross-Domain-Policies 
+- [ :white_check_mark: ] Referrer-Policy
+- [ :white_check_mark: ] Cross-Origin-Resource-Policy 
+- [ :white_check_mark: ] Cache-Control
+- [ :negative_squared_cross: ] Clear-Site-Data
+- [ :negative_squared_cross: ] Cross-Origin-Opener-Policy
+- [ :negative_squared_cross: ] Cross-Origin-Embedder-Policy
+- [ :negative_squared_cross: ] Permissions-Policy
+
+Key:
+
+ - :white_check_mark: means that the header, recommended value, and all of it's options are implemented
+ - :negative_squared_cross: means the header is not implemented at all.
+
+See the [OWASP Secure Headers List] for the most up-to-date list of recommended headers.
+
 ## Server Header: A Warning
 
 The default configuration for this middleware removes the `X-Powered-By` header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the `Server` header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.
@@ -99,3 +125,4 @@ The `web.config` file will need to be copied to the server when the application
 [OWASP Secure Headers]: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
 [Configuration]: https://gaprogman.github.io/OwaspHeaders.Core/configuration/
 [this answer on ServerFault]: https://serverfault.com/a/1020784
+[OWASP Secure Headers List]: https://owasp.org/www-project-secure-headers/#div-headers