Merge main into branch

docs/index.md

@@ -72,6 +72,32 @@ The above example contains only the headers added by the Middleware.
 
 For a more detailed explanation of how to use the middleware, including how to configure it, see [Configuration](./configuration).
 
+## Included Headers
+
+This project is a work-in-progress, and headers will be added inline with Owasp recommendations. PRs are welcome, and you can read about how to contribute [here](./Contributing).
+
+The following list displays the status of all the current (as of Dec 27th, 2024) recommended headers:
+
+- [ ✅ ] Strict-Transport-Security 
+- [ ✅ ] X-Frame-Options
+- [ ✅ ] X-Content-Type-Options
+- [ ✅ ] Content-Security-Policy
+- [ ✅ ] X-Permitted-Cross-Domain-Policies 
+- [ ✅ ] Referrer-Policy
+- [ ✅ ] Cross-Origin-Resource-Policy 
+- [ ✅ ] Cache-Control
+- [ ❌ ] Clear-Site-Data
+- [ ❌ ] Cross-Origin-Opener-Policy
+- [ ❌ ] Cross-Origin-Embedder-Policy
+- [ ❌ ] Permissions-Policy
+
+Key:
+
+ - ✅ means that the header, recommended value, and all of it's options are implemented
+ - ❌ means the header is not implemented at all.
+
+See the [OWASP Secure Headers List] for the most up-to-date list of recommended headers.
+
 ## Server Header: A Warning
 
 The default configuration for this middleware removes the `X-Powered-By` header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the `Server` header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.
@@ -99,3 +125,4 @@ The `web.config` file will need to be copied to the server when the application
 [OWASP Secure Headers]: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
 [Configuration]: https://gaprogman.github.io/OwaspHeaders.Core/configuration/
 [this answer on ServerFault]: https://serverfault.com/a/1020784
+[OWASP Secure Headers List]: https://owasp.org/www-project-secure-headers/#div-headers

src/Models/PermittedCrossDomainPolicyConfiguration.cs

@@ -23,15 +23,15 @@ public string BuildHeaderValue()
         switch (XPermittedCrossDomainOptionValue)
         {
             case XPermittedCrossDomainOptionValue.none:
-                return "none;";
+                return "none";
             case XPermittedCrossDomainOptionValue.masterOnly:
-                return "master-only;";
+                return "master-only";
             case XPermittedCrossDomainOptionValue.byContentType:
-                return "by-content-type;";
+                return "by-content-type";
             case XPermittedCrossDomainOptionValue.byFtpFileType:
-                return "by-ftp-file-type;";
+                return "by-ftp-file-type";
             case XPermittedCrossDomainOptionValue.all:
-                return "all;";
+                return "all";
             default:
                 ArgumentExceptionHelper.RaiseException(nameof(XPermittedCrossDomainOptionValue));
                 break;

src/Models/XFrameOptionsConfiguration.cs

@@ -27,14 +27,14 @@ public string BuildHeaderValue()
         switch (OptionValue)
         {
             case XFrameOptions.Deny:
-                return "DENY";
+                return "deny";
             case XFrameOptions.Sameorigin:
-                return "SAMEORIGIN";
+                return "sameorigin";
             case XFrameOptions.Allowfrom:
                 HeaderValueGuardClauses.StringCannotBeNullOrWhitsSpace(AllowFromDomain, nameof(AllowFromDomain));
-                return $"ALLOW-FROM({AllowFromDomain})";
+                return $"allow-from: ({AllowFromDomain})";
             case XFrameOptions.AllowAll:
-                return "ALLOWALL";
+                return "allowall";
         }
         // We should never hit this return statement. It is included here
         // as the method NEEDs to return something.

tests/OwaspHeaders.Core.Tests/CustomHeaders/DefaultSecureHeadersIntegrationTests.cs

@@ -27,7 +27,7 @@ public async Task AllHeaders_Present_When_BuildDefault_Used()
 
         Assert.True(headerPresentConfig.UseXFrameOptions);
         Assert.Contains(context.Response.Headers, h => h.Key == Constants.XFrameOptionsHeaderName);
-        Assert.Equal("DENY", context.Response.Headers[Constants.XFrameOptionsHeaderName]);
+        Assert.Equal("deny", context.Response.Headers[Constants.XFrameOptionsHeaderName]);
 
         Assert.True(headerPresentConfig.UseXssProtection);
         Assert.Contains(context.Response.Headers, h => h.Key == Constants.XssProtectionHeaderName);
@@ -44,7 +44,7 @@ public async Task AllHeaders_Present_When_BuildDefault_Used()
 
         Assert.True(headerPresentConfig.UsePermittedCrossDomainPolicy);
         Assert.Contains(context.Response.Headers, h => h.Key == Constants.PermittedCrossDomainPoliciesHeaderName);
-        Assert.Equal("none;", context.Response.Headers[Constants.PermittedCrossDomainPoliciesHeaderName]);
+        Assert.Equal("none", context.Response.Headers[Constants.PermittedCrossDomainPoliciesHeaderName]);
 
         Assert.True(headerPresentConfig.UseReferrerPolicy);
         Assert.Contains(context.Response.Headers, h => h.Key == Constants.ReferrerPolicyHeaderName);

tests/OwaspHeaders.Core.Tests/SecureHeadersMiddlewareExtensionTests/SecureHeadersMiddlewareTests.cs

@@ -103,7 +103,7 @@ private void AssertHeadersInResponse(SecureHeadersMiddlewareConfiguration middle
 
         // X-Frame-Options
         Assert.True(middlewareConfiguration.UseXFrameOptions);
-        Assert.Equal("DENY", middlewareConfiguration.XFrameOptionsConfiguration.BuildHeaderValue());
+        Assert.Equal("deny", middlewareConfiguration.XFrameOptionsConfiguration.BuildHeaderValue());
 
         // X-Content-Type-Options
         Assert.True(middlewareConfiguration.UseXContentTypeOptions);
@@ -116,7 +116,7 @@ private void AssertHeadersInResponse(SecureHeadersMiddlewareConfiguration middle
 
         // X-Permitted-Cross-Domain-Policies
         Assert.True(middlewareConfiguration.UsePermittedCrossDomainPolicy);
-        Assert.Equal("none;", middlewareConfiguration.PermittedCrossDomainPolicyConfiguration.BuildHeaderValue());
+        Assert.Equal("none", middlewareConfiguration.PermittedCrossDomainPolicyConfiguration.BuildHeaderValue());
 
         // Referrer-Policy
         Assert.True(middlewareConfiguration.UseReferrerPolicy);