Fixed external links

source/nwebsec/Configuration.rst

@@ -67,7 +67,7 @@ Only the most basic configuration is added to web.config when installing the NWe
 
 The NWebsec config section is declared, the module is loaded, custom http headers will be cleared, the NWebsec configuration directory is declared as a hidden segment, and an empty NWebsec configuration section is added.
 
-You'll probably notice that configuration is also added to the `<system.webserver>` section in order to load the NWebsec _httpHeaderModule_ . If you're running on IIS 6 or in Classic Pipeline Mode you will have to do some manual changes to your web.config to load the module, see [IIS 6 or IIS 7 Classic Pipeline Mode
+You'll probably notice that configuration is also added to the `<system.webserver>` section in order to load the NWebsec *httpHeaderModule* . If you're running on IIS 6 or in Classic Pipeline Mode you will have to do some manual changes to your web.config to load the module, see [IIS 6 or IIS 7 Classic Pipeline Mode
 ](#iis-6-or-iis-7-classic-pipeline-mode).
 
 The configuration schema gives you intellisense for all NWebsec configuration elements, so feel free to start of with the empty section and add the security headers you need.
@@ -155,7 +155,7 @@ For the curious, here's a complete configuration section with all headers disabl
 IIS 6 or IIS 7 Classic Pipeline Mode
 ************************************
 
-If your application is running in Classic Pipeline Mode (as opposed to [Integrated Pipeline Mode](http://learn.iis.net/page.aspx/243/aspnet-integration-with-iis/)), you'll have to add configuration by hand to load the HttpHeaderModule, here's an example:
+If your application is running in Classic Pipeline Mode (as opposed to `Integrated Pipeline Mode <http://learn.iis.net/page.aspx/243/aspnet-integration-with-iis/>`_), you'll have to add configuration by hand to load the HttpHeaderModule, here's an example:
 
 ..  code-block:: xml
 

source/nwebsec/Configuring-cache-headers.rst

@@ -8,7 +8,7 @@ In short the browser can behave in two ways when it comes to caching. It could a
 
 Also, the browser can serve previously loaded pages directly from cache — without checking with the server whether the page has changed. This is a common behaviour when the user is navigating back and forth with the "Back" and "Forward" buttons in the browser.
 
-You can read an excellent write-up on the issues related to browser cache and history on Opera's Yngve Pettersen's blog: [Introducing Cache Contexts, or: Why the browser does not know you are logged out](http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the).
+You can read an excellent write-up on the issues related to browser cache and history on Opera's Yngve Pettersen's blog: `Introducing Cache Contexts, or: Why the browser does not know you are logged out <http://my.opera.com/yngve/blog/2007/02/27/introducing-cache-contexts-or-why-the>`_.
 
 To instruct the browser to reload pages when the user is navigating with the back and forward buttons you can configure NWebsec to set the following headers: 
 
@@ -42,7 +42,7 @@ In web.config:
 
 .. 	note::
 
-	Enabling the no cache headers in config is a point of no return, as of NWebsec 3.0.0. This is by design after the PreSendRequestHeaders event was [deprecated by MSFT](http://www.asp.net/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet,-and-what-to-do-instead#presend). If you want to enable these headers globally for your app but make exceptions for some of your controllers/actions, use a global MVC filter instead, as per the following example.
+	Enabling the no cache headers in config is a point of no return, as of NWebsec 3.0.0. This is by design after the PreSendRequestHeaders event was `deprecated by MSFT <http://www.asp.net/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet,-and-what-to-do-instead#presend>`_. If you want to enable these headers globally for your app but make exceptions for some of your controllers/actions, use a global MVC filter instead, as per the following example.
 
 
 Or as an MVC filter:

source/nwebsec/Configuring-csp.rst

@@ -6,9 +6,9 @@ Consult :doc:`Breaking-changes` if you're upgrading to the NWebsec 4.x packages.
 
 Content-Security-Policy (CSP) provides a safety net for injection attacks by specifying a whitelist from where various content in a webpage can be loaded from.
 
-If you're unfamiliar with CSP you should read [An Introduction to Content Security Policy](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) by Mike West, one of the Chrome developers. You'll also find information about CSP on the [Mozilla Developer Network](https://developer.mozilla.org/en-US/docs/Security/CSP).
+If you're unfamiliar with CSP you should read `An Introduction to Content Security Policy <http://www.html5rocks.com/en/tutorials/security/content-security-policy/>`_ by Mike West, one of the Chrome developers. You'll also find information about CSP on the `Mozilla Developer Network <https://developer.mozilla.org/en-US/docs/Security/CSP>`_.
 
-At the time of writing, CSP 1.0 is supported by most major browsers (Opera/Chrome/Firefox/Safari). Internet Explorer CSP support is lacking for now, but they're [working on it](https://status.modern.ie/contentsecuritypolicy?term=content).
+At the time of writing, CSP 1.0 is supported by most major browsers (Opera/Chrome/Firefox/Safari). Internet Explorer CSP support is lacking for now, but they're `working on it <https://status.modern.ie/contentsecuritypolicy?term=content>`_.
 
 Chrome and Firefox have partial support for CSP Level 2.
 
@@ -28,7 +28,7 @@ You should read this entire article to understand how CSP configuration is inher
 CSP configuration
 *****************
 
-NWebsec emits the CSP header if CSP is enabled and one or more directives are configured — except for redirects and static content. The directives specified in [CSP 1.0](http://www.w3.org/TR/CSP/) are:
+NWebsec emits the CSP header if CSP is enabled and one or more directives are configured — except for redirects and static content. The directives specified in `CSP 1.0 <http://www.w3.org/TR/CSP/>`_ are:
 
 * default-src — Specifies the default for other sources
 * script-src
@@ -42,15 +42,15 @@ NWebsec emits the CSP header if CSP is enabled and one or more directives are co
 * sandbox (optional to implement)
 * report-uri — Specifies where CSP violations can be reported
 
-[CSP level 2](http://www.w3.org/TR/CSP2/) adds quite a few new directives over these, currently supported by NWebsec are:
+`CSP level 2 <http://www.w3.org/TR/CSP2/>`_ adds quite a few new directives over these, currently supported by NWebsec are:
 
 * frame-ancestors
 * base-uri
 * child-src
 * form-action
 * sandbox (no longer optional)
 
-CSP 2 also introduces script and style hashes and nonces. You'll find a good write-up on this on the [Mozilla blog](https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/). NWebsec supports script and style nonces as of version 3.2.0.
+CSP 2 also introduces script and style hashes and nonces. You'll find a good write-up on this on the `Mozilla blog <https://blog.mozilla.org/security/2014/10/04/csp-for-the-web-we-have/>`_. NWebsec supports script and style nonces as of version 3.2.0.
 
 To use a directive, it must be configured with at least one source. The standard specifies some special sources.
 
@@ -72,7 +72,7 @@ You can also specify your own sources, in various formats specified by the [url:
 
 * \* — Allow content from anywhere
 * https: — Scheme only, load only content served over https
-* *.nwebsec.com — Wildcard host, allow content from any nwebsec.com sub-domain.
+* \*.nwebsec.com — Wildcard host, allow content from any nwebsec.com sub-domain.
 * www.nwebsec.com:81 — You can specify a port number
 * https://www.nwebsec.com — You can of specify an absolute URI for a host (path has no effect though)
 
@@ -83,7 +83,7 @@ CSP 2 specifies support for internationalized domain names in custom sources.
 The built-in report handler
 ===========================
 
-If you configure the report-uri directive, the browser will report CSP violations to that URI (as JSON). The CSP standard includes an example of a [CSP violation report](http://www.w3.org/TR/CSP/#sample-violation-report). There are two things that make it a bit cumbersome to deal with these reports.
+If you configure the report-uri directive, the browser will report CSP violations to that URI (as JSON). The CSP standard includes an example of a `CSP violation report <http://www.w3.org/TR/CSP/#sample-violation-report>`_. There are two things that make it a bit cumbersome to deal with these reports.
 
 * The report-uri must be a relative URI, so you might have to include a report handler in every one of your applications (unless they're running on the same domain).
 * The browser submits the violation report without session cookies. That means you need to poke a hole in your authorization rules to get the requests through.
@@ -253,20 +253,21 @@ And consider the following controller:
             return View("Index");
         }
     }
+
 The index action will inherit the global attribute as well as the attribute set on the controller, which yields this header:
 
-..  
+::  
 
   Content-Security-Policy: default-src 'self'; script-src 'self' scripts.nwebsec.codeplex.com
 
 The index2 action inherits previous directives yielding:
 
-..
+::
 
   Content-Security-Policy: default-src 'self' nwebsec.codeplex.com; script-src 'self' scripts.nwebsec.codeplex.com
 
 The index3 action also inherits all directives, thus giving us this header:
-..
+::
 
   Content-Security-Policy: default-src 'self' stuff.nwebsec.codeplex.com; script-src 'self' scripts.nwebsec.codeplex.com scripts.nwebsec.com ajax.googleapis.com
 

source/nwebsec/Configuring-hpkp.rst

@@ -4,7 +4,7 @@ Configuring Public-Key-Pins
 
 There are four configuration options, as well as a list of certs to pin and/or a list of pin values. Note that you must supply two pins to generate a valid header, i.e. two certs, a cert and a pin value, or two pin values.
 
-* **max-age** is a ``TimeSpan`` (see [TimeSpan.Parse](http://msdn.microsoft.com/en-us/library/se73z7b9.aspx))
+* **max-age** is a ``TimeSpan`` (see `TimeSpan.Parse <http://msdn.microsoft.com/en-us/library/se73z7b9.aspx>`_)
 * **includeSubdomains** adds *includeSubDomains* in the header, defaults to *false*
 * **httpsOnly** ensures that the HSTS header is set over secure connections only, defaults to *true*. 
 * **reportUri** specifies an absolute URI to where the browser can report HPKP violations. The scheme must be HTTP or HTTPS. 

source/nwebsec/Configuring-hsts.rst

@@ -4,9 +4,9 @@ Configuring Strict-Transport-Security
 
 There are four configuration options:
 
-* **max-age** is a ``TimeSpan`` (see [TimeSpan.Parse](http://msdn.microsoft.com/en-us/library/se73z7b9.aspx))
+* **max-age** is a ``TimeSpan`` (see `TimeSpan.Parse <http://msdn.microsoft.com/en-us/library/se73z7b9.aspx>`_)
 * **includeSubdomains** adds *includeSubDomains* in the header, defaults to *false*
-* **preload** adds the *preload* directive, defaults to *false*. Max-age must be at least 18 weeks, and includeSubdomains must be enabled to use the preload directive. See the [Chromium HSTS docs](http://www.chromium.org/sts) for details.
+* **preload** adds the *preload* directive, defaults to *false*. Max-age must be at least 18 weeks, and includeSubdomains must be enabled to use the preload directive. See the `Chromium HSTS docs <http://www.chromium.org/sts>`_ for details.
 * **httpsOnly** ensures that the HSTS header is set over secure connections only, defaults to *true*. 
 
 =====================================================   =======================================================================

source/nwebsec/Configuring-xrt.rst

@@ -10,16 +10,16 @@ You might be familiar with the Robots Exclusion Protocol (REP), often communicat
 
 REP gives some control over which content search engines will index on your site, i.e. for search engines who respect REP. Remember, you are politely asking search engines to not index your content — but not all search engines are that polite.
 
-In addition to [robots.txt](http://www.robotstxt.org/) and meta tags, some of the major search engines support REP through an HTTP header. The following header is the equivalent to the aforementioned meta tag:
+In addition to `robots.txt <http://www.robotstxt.org/>`_ and meta tags, some of the major search engines support REP through an HTTP header. The following header is the equivalent to the aforementioned meta tag:
 
 ..
 
   X-Robots-Tag: noindex, nofollow
 
 Using the HTTP header can be a nice alternative to the robots.txt and the meta tags — especially for content other than html such as PDF, XML or Office files. The header is supported by Bing and Google, refer to these two resources for the nitty gritty details:
 
-* [Prevent a bot from getting "lost in space"](http://www.bing.com/community/site_blogs/b/webmaster/archive/2009/08/21/prevent-a-bot-from-getting-lost-in-space-sem-101.aspx)
-* [Robots meta tag and X-Robots-Tag HTTP header specifications](https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag)
+* `Prevent a bot from getting "lost in space" <http://www.bing.com/community/site_blogs/b/webmaster/archive/2009/08/21/prevent-a-bot-from-getting-lost-in-space-sem-101.aspx>`_
+* `Robots meta tag and X-Robots-Tag HTTP header specifications <https://developers.google.com/webmasters/control-crawl-index/docs/robots_meta_tag>`_
 
 NWebsec lets you emit the X-Robots-Tag header as of version 2.1.0.  The directives supported are:
 

source/nwebsec/HttpHeaderModule.rst

@@ -1,4 +1,4 @@
-The NWebsec HttpHeaderModule controls which headers are sent in the response from and ASP.NET application. Since it's an HttpModule it works for both Web Forms application and MVC applications as it hooks into the [ASP.NET/IIS pipeline](http://msdn.microsoft.com/en-us/library/bb470252.aspx). There, it makes changes to the HTTP header collection according to the NWebsec configuration.
+The NWebsec HttpHeaderModule controls which headers are sent in the response from and ASP.NET application. Since it's an HttpModule it works for both Web Forms application and MVC applications as it hooks into the `ASP.NET/IIS pipeline <http://msdn.microsoft.com/en-us/library/bb470252.aspx>`_. There, it makes changes to the HTTP header collection according to the NWebsec configuration.
 
 The HttpHeaderModule supports the following security headers (See [[Configuration]] for the actual web.config):
 

source/nwebsec/NWebsec-and-the-SDL.rst

@@ -2,7 +2,7 @@
 NWebsec and the SDL
 ###################
 
-You might be familiar with Microsoft's [Security Development Lifecycle](http://microsoft.com/sdl) (SDL)  — a software security assurance process. The SDL is how Microsoft ensures that security is taken care of throughout their development processes. It's broken down in sections for different development phases and each section contains requirements and recommendations to ensure both security and privacy in their software. They've published the process guidance to aid others in introducing security activities in their own development processes. 
+You might be familiar with Microsoft's `Security Development Lifecycle <http://microsoft.com/sdl>`_ (SDL)  — a software security assurance process. The SDL is how Microsoft ensures that security is taken care of throughout their development processes. It's broken down in sections for different development phases and each section contains requirements and recommendations to ensure both security and privacy in their software. They've published the process guidance to aid others in introducing security activities in their own development processes. 
 
 Many of the requirements and recommendations are concrete and actionable — this page lists the SDL requirements that NWebsec will help you fulfill (the others you'll have to take care of yourself #kthxbai :).
 
@@ -38,7 +38,7 @@ The X-Content-Type-Options header
 
 From *Phase Three Implementation. Security Requirements:*
 
-	Internet Explorer 8 MIME handling: Sniffing OPT-OUT. This recommendation addresses functionality new in Internet Explorer 8 that may have security implications in some cases. It is recommended that for each HTTP response that could contain user controllable content, you utilize the HTTP Header X-Content-Type-Options:nosniff. The [Watcher tool](http://websecuritytool.codeplex.com/) may be of use in meeting this requirement.
+	Internet Explorer 8 MIME handling: Sniffing OPT-OUT. This recommendation addresses functionality new in Internet Explorer 8 that may have security implications in some cases. It is recommended that for each HTTP response that could contain user controllable content, you utilize the HTTP Header X-Content-Type-Options:nosniff. The `Watcher tool <http://websecuritytool.codeplex.com/>`_ may be of use in meeting this requirement.
 
 See :doc:`Configuring-cto` to let NWebsec add this header for you.
 
@@ -50,7 +50,7 @@ From *Phase Three Implementation. Security Recommendations:*
 
 	Do not use the JavaScript eval() function (or equivalents). The JavaScript eval() function is used to interpret a string as executable code. While eval() enables a web application to dynamically generate and execute JavaScript (including JSON), it also opens up potential security holes, such as injection attacks, where an attacker-fed string may also get executed. For this reason, the eval() function or functional equivalents, such as setTimeout() and setInterval(), should not be used.
 
-See :doc:`Configuring-csp` to let NWebsec add this header for you — CSP will disable all these JavaScript functions (see the *script-src* directive in section 4.2 of the [CSP specification](http://www.w3.org/TR/CSP/#script-src)).
+See :doc:`Configuring-csp` to let NWebsec add this header for you — CSP will disable all these JavaScript functions (see the *script-src* directive in section 4.2 of the `CSP specification <http://www.w3.org/TR/CSP/#script-src>`_).
 
 **************************
 The X-Frame-Options header

source/nwebsec/NWebsec.Owin.rst

@@ -19,7 +19,7 @@ You'll notice that not all features from the :doc:`NWebsec` library are availabl
 ************
 Dependencies
 ************
-NWebsec.Owin depends on the [OWIN NuGet package](http://www.nuget.org/packages/Owin/) and the OWIN IAppBuilder startup interface defined there. It does not have any [Katana](http://www.asp.net/aspnet/overview/owin-and-katana) (MSFTs OWIN libraries) dependencies. The idea is to be able to support other OWIN host implementations as they become available.
+NWebsec.Owin depends on the `OWIN NuGet package <http://www.nuget.org/packages/Owin/>`_ and the OWIN IAppBuilder startup interface defined there. It does not have any `Katana <http://www.asp.net/aspnet/overview/owin-and-katana>`_ (MSFTs OWIN libraries) dependencies. The idea is to be able to support other OWIN host implementations as they become available.
 
 Note that the middleware has been developed and tested under Katana.