From 96cdaacd0d8d728b871efef5644cfbb102baea97 Mon Sep 17 00:00:00 2001
From: Jamie Taylor <60719058+jamie-taylor-rjj@users.noreply.github.com>
Date: Fri, 27 Dec 2024 02:24:55 +0000
Subject: [PATCH 1/4] Added section to index about the list of supported
 headers (#156)

---
 docs/index.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/docs/index.md b/docs/index.md
index 7fc6756..786f295 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -72,6 +72,32 @@ The above example contains only the headers added by the Middleware.
 
 For a more detailed explanation of how to use the middleware, including how to configure it, see [Configuration](./configuration).
 
+## Included Headers
+
+This project is a work-in-progress, and headers will be added inline with Owasp recommendations. PRs are welcome, and you can read about how to contribute [here](./Contributing).
+
+The following list displays the status of all the current (as of Dec 27th, 2024) recommended headers:
+
+- [ :white_check_mark: ] Strict-Transport-Security 
+- [ :white_check_mark: ] X-Frame-Options
+- [ :white_check_mark: ] X-Content-Type-Options
+- [ :white_check_mark: ] Content-Security-Policy
+- [ :white_check_mark: ] X-Permitted-Cross-Domain-Policies 
+- [ :white_check_mark: ] Referrer-Policy
+- [ :white_check_mark: ] Cross-Origin-Resource-Policy 
+- [ :white_check_mark: ] Cache-Control
+- [ :negative_squared_cross: ] Clear-Site-Data
+- [ :negative_squared_cross: ] Cross-Origin-Opener-Policy
+- [ :negative_squared_cross: ] Cross-Origin-Embedder-Policy
+- [ :negative_squared_cross: ] Permissions-Policy
+
+Key:
+
+ - :white_check_mark: means that the header, recommended value, and all of it's options are implemented
+ - :negative_squared_cross: means the header is not implemented at all.
+
+See the [OWASP Secure Headers List] for the most up-to-date list of recommended headers.
+
 ## Server Header: A Warning
 
 The default configuration for this middleware removes the `X-Powered-By` header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the `Server` header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.
@@ -99,3 +125,4 @@ The `web.config` file will need to be copied to the server when the application
 [OWASP Secure Headers]: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
 [Configuration]: https://gaprogman.github.io/OwaspHeaders.Core/configuration/
 [this answer on ServerFault]: https://serverfault.com/a/1020784
+[OWASP Secure Headers List]: https://owasp.org/www-project-secure-headers/#div-headers

From 0d52112bf254f0cd954b10b115fb1356a84a843c Mon Sep 17 00:00:00 2001
From: Jamie Taylor <60719058+jamie-taylor-rjj@users.noreply.github.com>
Date: Fri, 27 Dec 2024 02:28:44 +0000
Subject: [PATCH 2/4] Bugfix/typos (#157)

* Fixed errant semicolon in values for  X-Permitted-Cross-Domain-Policies

* X-Frame-Options values are no longer all caps

* Fixed tests
---
 src/Models/PermittedCrossDomainPolicyConfiguration.cs  | 10 +++++-----
 src/Models/XFrameOptionsConfiguration.cs               |  8 ++++----
 .../DefaultSecureHeadersIntegrationTests.cs            |  4 ++--
 .../SecureHeadersMiddlewareTests.cs                    |  4 ++--
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/Models/PermittedCrossDomainPolicyConfiguration.cs b/src/Models/PermittedCrossDomainPolicyConfiguration.cs
index f80b228..553cb7f 100644
--- a/src/Models/PermittedCrossDomainPolicyConfiguration.cs
+++ b/src/Models/PermittedCrossDomainPolicyConfiguration.cs
@@ -23,15 +23,15 @@ public string BuildHeaderValue()
         switch (XPermittedCrossDomainOptionValue)
         {
             case XPermittedCrossDomainOptionValue.none:
-                return "none;";
+                return "none";
             case XPermittedCrossDomainOptionValue.masterOnly:
-                return "master-only;";
+                return "master-only";
             case XPermittedCrossDomainOptionValue.byContentType:
-                return "by-content-type;";
+                return "by-content-type";
             case XPermittedCrossDomainOptionValue.byFtpFileType:
-                return "by-ftp-file-type;";
+                return "by-ftp-file-type";
             case XPermittedCrossDomainOptionValue.all:
-                return "all;";
+                return "all";
             default:
                 ArgumentExceptionHelper.RaiseException(nameof(XPermittedCrossDomainOptionValue));
                 break;
diff --git a/src/Models/XFrameOptionsConfiguration.cs b/src/Models/XFrameOptionsConfiguration.cs
index a799121..f6417ce 100644
--- a/src/Models/XFrameOptionsConfiguration.cs
+++ b/src/Models/XFrameOptionsConfiguration.cs
@@ -27,14 +27,14 @@ public string BuildHeaderValue()
         switch (OptionValue)
         {
             case XFrameOptions.Deny:
-                return "DENY";
+                return "deny";
             case XFrameOptions.Sameorigin:
-                return "SAMEORIGIN";
+                return "sameorigin";
             case XFrameOptions.Allowfrom:
                 HeaderValueGuardClauses.StringCannotBeNullOrWhitsSpace(AllowFromDomain, nameof(AllowFromDomain));
-                return $"ALLOW-FROM({AllowFromDomain})";
+                return $"allow-from: ({AllowFromDomain})";
             case XFrameOptions.AllowAll:
-                return "ALLOWALL";
+                return "allowall";
         }
         // We should never hit this return statement. It is included here
         // as the method NEEDs to return something.
diff --git a/tests/OwaspHeaders.Core.Tests/CustomHeaders/DefaultSecureHeadersIntegrationTests.cs b/tests/OwaspHeaders.Core.Tests/CustomHeaders/DefaultSecureHeadersIntegrationTests.cs
index ee9136a..df2b4e2 100644
--- a/tests/OwaspHeaders.Core.Tests/CustomHeaders/DefaultSecureHeadersIntegrationTests.cs
+++ b/tests/OwaspHeaders.Core.Tests/CustomHeaders/DefaultSecureHeadersIntegrationTests.cs
@@ -27,7 +27,7 @@ public async Task AllHeaders_Present_When_BuildDefault_Used()
 
         Assert.True(headerPresentConfig.UseXFrameOptions);
         Assert.Contains(context.Response.Headers, h => h.Key == Constants.XFrameOptionsHeaderName);
-        Assert.Equal("DENY", context.Response.Headers[Constants.XFrameOptionsHeaderName]);
+        Assert.Equal("deny", context.Response.Headers[Constants.XFrameOptionsHeaderName]);
 
         Assert.True(headerPresentConfig.UseXssProtection);
         Assert.Contains(context.Response.Headers, h => h.Key == Constants.XssProtectionHeaderName);
@@ -44,7 +44,7 @@ public async Task AllHeaders_Present_When_BuildDefault_Used()
 
         Assert.True(headerPresentConfig.UsePermittedCrossDomainPolicy);
         Assert.Contains(context.Response.Headers, h => h.Key == Constants.PermittedCrossDomainPoliciesHeaderName);
-        Assert.Equal("none;", context.Response.Headers[Constants.PermittedCrossDomainPoliciesHeaderName]);
+        Assert.Equal("none", context.Response.Headers[Constants.PermittedCrossDomainPoliciesHeaderName]);
 
         Assert.True(headerPresentConfig.UseReferrerPolicy);
         Assert.Contains(context.Response.Headers, h => h.Key == Constants.ReferrerPolicyHeaderName);
diff --git a/tests/OwaspHeaders.Core.Tests/SecureHeadersMiddlewareExtensionTests/SecureHeadersMiddlewareTests.cs b/tests/OwaspHeaders.Core.Tests/SecureHeadersMiddlewareExtensionTests/SecureHeadersMiddlewareTests.cs
index c61b5cb..94b51be 100644
--- a/tests/OwaspHeaders.Core.Tests/SecureHeadersMiddlewareExtensionTests/SecureHeadersMiddlewareTests.cs
+++ b/tests/OwaspHeaders.Core.Tests/SecureHeadersMiddlewareExtensionTests/SecureHeadersMiddlewareTests.cs
@@ -103,7 +103,7 @@ private void AssertHeadersInResponse(SecureHeadersMiddlewareConfiguration middle
 
         // X-Frame-Options
         Assert.True(middlewareConfiguration.UseXFrameOptions);
-        Assert.Equal("DENY", middlewareConfiguration.XFrameOptionsConfiguration.BuildHeaderValue());
+        Assert.Equal("deny", middlewareConfiguration.XFrameOptionsConfiguration.BuildHeaderValue());
 
         // X-Content-Type-Options
         Assert.True(middlewareConfiguration.UseXContentTypeOptions);
@@ -116,7 +116,7 @@ private void AssertHeadersInResponse(SecureHeadersMiddlewareConfiguration middle
 
         // X-Permitted-Cross-Domain-Policies
         Assert.True(middlewareConfiguration.UsePermittedCrossDomainPolicy);
-        Assert.Equal("none;", middlewareConfiguration.PermittedCrossDomainPolicyConfiguration.BuildHeaderValue());
+        Assert.Equal("none", middlewareConfiguration.PermittedCrossDomainPolicyConfiguration.BuildHeaderValue());
 
         // Referrer-Policy
         Assert.True(middlewareConfiguration.UseReferrerPolicy);

From 86879a0360181eb08d2a7f71b464f029e7458dc8 Mon Sep 17 00:00:00 2001
From: Jamie Taylor <60719058+jamie-taylor-rjj@users.noreply.github.com>
Date: Fri, 27 Dec 2024 02:35:17 +0000
Subject: [PATCH 3/4] feature/list-of-headers-in-docs (#158)

* Added section to index about the list of supported headers

* Used actual emoji characters for list of headers supported
---
 docs/index.md | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/docs/index.md b/docs/index.md
index 786f295..9a71d24 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -78,23 +78,23 @@ This project is a work-in-progress, and headers will be added inline with Owasp
 
 The following list displays the status of all the current (as of Dec 27th, 2024) recommended headers:
 
-- [ :white_check_mark: ] Strict-Transport-Security 
-- [ :white_check_mark: ] X-Frame-Options
-- [ :white_check_mark: ] X-Content-Type-Options
-- [ :white_check_mark: ] Content-Security-Policy
-- [ :white_check_mark: ] X-Permitted-Cross-Domain-Policies 
-- [ :white_check_mark: ] Referrer-Policy
-- [ :white_check_mark: ] Cross-Origin-Resource-Policy 
-- [ :white_check_mark: ] Cache-Control
-- [ :negative_squared_cross: ] Clear-Site-Data
-- [ :negative_squared_cross: ] Cross-Origin-Opener-Policy
-- [ :negative_squared_cross: ] Cross-Origin-Embedder-Policy
-- [ :negative_squared_cross: ] Permissions-Policy
+- [ ✅ ] Strict-Transport-Security 
+- [ ✅ ] X-Frame-Options
+- [ ✅ ] X-Content-Type-Options
+- [ ✅ ] Content-Security-Policy
+- [ ✅ ] X-Permitted-Cross-Domain-Policies 
+- [ ✅ ] Referrer-Policy
+- [ ✅ ] Cross-Origin-Resource-Policy 
+- [ ✅ ] Cache-Control
+- [ ❌ ] Clear-Site-Data
+- [ ❌ ] Cross-Origin-Opener-Policy
+- [ ❌ ] Cross-Origin-Embedder-Policy
+- [ ❌ ] Permissions-Policy
 
 Key:
 
- - :white_check_mark: means that the header, recommended value, and all of it's options are implemented
- - :negative_squared_cross: means the header is not implemented at all.
+ - ✅ means that the header, recommended value, and all of it's options are implemented
+ - ❌ means the header is not implemented at all.
 
 See the [OWASP Secure Headers List] for the most up-to-date list of recommended headers.
 

From b9a4671536ead6fc30bb3a112f7f7912fc4013dc Mon Sep 17 00:00:00 2001
From: Jamie Taylor <60719058+jamie-taylor-rjj@users.noreply.github.com>
Date: Fri, 27 Dec 2024 02:40:13 +0000
Subject: [PATCH 4/4] Bugfix/typos (#159)

* Fixed errant semicolon in values for  X-Permitted-Cross-Domain-Policies

* X-Frame-Options values are no longer all caps

* Fixed tests

* Patch version bump
---
 src/OwaspHeaders.Core.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/OwaspHeaders.Core.csproj b/src/OwaspHeaders.Core.csproj
index a6dbafd..e46c114 100644
--- a/src/OwaspHeaders.Core.csproj
+++ b/src/OwaspHeaders.Core.csproj
@@ -8,7 +8,7 @@
 
     <!-- NuGet metadata -->
     <PackageId>OwaspHeaders.Core</PackageId>
-    <Version>9.6.2</Version>
+    <Version>9.6.3</Version>
     <Authors>Jamie Taylor</Authors>
     <Company>RJJ Software Ltd</Company>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>