New features:
- ASP.NET 6.0+ support
- Breaking change: middlewares must be registered as services before use.
- X-UA-Compatible: MVC attribute
- Permissions-Policy: MVC attribute to allow/deny permissions
New features:
- ASP.NET 5.0+ support
- MVC Action Filter support, and extension methods for HttpContext:
- Frame-Options: set policy
- Permissions-Policy: Allow and disallow
- X-UA-Compatible: set compatibility mode
- Note: middlewares still has to be added to the pipeline as they contain the logic that modifies the headers of the HTTP response, while the action filters only set which values to set.
Performance improvements:
- All middlewares are strongly typed using the
IMiddlewareinterface - All middlewares are singletons, so they don't have to be instantiated for each and every request
- Response headers are not parsed into objects, low level APIs are satisfactory while providing the same security
- Header values are pre-rendered, so middlewares are basically allocation free from now (instead of constructing them on the fly, which resulted in lots of new
Stringobjects on the heap). Note: this also means that configuration changes won't take effect while running. - Breaking change: middlewares must be registered as services before use.
Deprecation:
- Frame-Options:
allow-frompolicy - Frame-Options: use Content Security Policy instead
- Permissions-Policy: support for Permissions Policy
- Feature-Policy: marked as obsolete
- Fix: Require Authenticated Identity: middleware didn't interrupt the pipeline.
- Report-To: Added support for
Report-Toheader - Upgrade Insecure Resources: Tag helper to upgrade insecure resource references (like scripts, styles, images, links) to
https:// - Fix: Subresource Integrity: increased its order, so it is the last to be executed
New features:
- ASP.NET Core 3.0+ support
- Nullable reference types support
- Subresource Integrity: Tag helper to add
integrityattribute to remote resources - Feature-Policy: Added support
- NoOpener: Tag helper to add missing
noopenerrelationships toatags - Require Authenticated Identity: Middleware that requires an authenticated identity on the HttpContext to proceed
- CSP: Added support for
prefetch-src - CSP: Added support for
script-src-attr - CSP: Added support for
script-src-elem - CSP: Added support for
style-src-attr - CSP: Added support for
style-src-elem - X-Robots-Tag: Added support for specifying user agent
- X-Robots-Tag: Added support for
max-snippet - X-Robots-Tag: Added support for
max-image-preview - X-Robots-Tag: Added support for
max-video-preview
Breaking changes:
CspOptionswas renamed toCspDirectiveListFrameOptionOptionswas renamed toFrameOptionsDirectiveXRobotsTagHeaderValuewas renamed toRobotsTagDirectiveList
Deprecation:
- CSP: Removed support for
reflected-xss - CSP: Removed support for
X-WebKit-CSPandX-Content-Security-Policyheader names as CSP is widely supported now - HTTP Strict Transport Security: Removed support as it has built-in support in ASP.NET Core 3.0
- HTTP Public Key Pinning: Marked as obsolete, as it has been deprecated by Chrome/IE/Edge
- X-XSS-Protection: Marked as obsolete, as it has been permanently disabled by Chrome/Edge and has never been implemented in Firefox
Fixes:
- CSP: Fixed crash on developer exception page when
style-srcorscript-srcwas not set
- Expect-CT: support for Certificate Transparency
- CSP: Add source to directives by hash
- CSP: Add source to directives in hash form by content
- CSP:
reflected-xssdirective is turned off by default due to lack of browser support
- CSP Fixed: The directive name
font-srcwas accidentally re-used for theform-actiondirective #1 @BlueNinjaSoftware
- ASP.NET Core 2+ support
- ASP.NET Core 1.0-2.0 support
- Content-Security-Policy
- Frame-Options
- HTTP Public Key Pinning
- HTTP Strict Transport Security
- Redirect Policy
- Referrer Policy
- X-Content-Type-Options
- X-Download-Options
- X-Permitted-Cross-Domain-Policies
- X-Robots-Tag
- X-UA-Compatible
- X-XSS-Protection