Features:
- Add support for
Expect-CTheader. Allows excluding domains that will not have theExpect-CTheader applied. By default, theExpect-CTheader will not be applied to localhost. It is also only applied to HTTPS requests - Add support for
worker-srcdirective forContent-Security-Policyheader
Breaking Changes:
- Drop support for ASP.NET Core 1.x
- Add support for ASP.NET Core 3.0
Features:
- Add support for Nonce generation for
Content-Security-Policyheaders. See README.md for details - Add TagHelpers library for adding nonces and generating hashes for Razor elements.
- Allow using HSTS preload with
Strict-Transport-Security - Allow excluding domains from
Strict-Transport-Security. Similar to the MicrosoftHstsMiddleware, you can skip applyingStrict-Transport-Securityto specific hosts
Breaking Changes:
- All obsolete classes have been removed.
- Many classes have changed namespace to better reflect their location in the project, and also to aid discovery. If you're using the recommended builders and extension methods, you should not have any build-time breaking changes, but the package is not runtime-compatible with previous versions
- The
Strict-Transport-Securityheader is no longer applied tolocalhostby default. Generally speaking, this isn't something you should do anyway. - The CSP classes have undergone significant refactoring to allow dynamic values per-request (i.e. nonces). This doesn't affect the main public API, but will impact you if you're working with the low-level infrastructure classes.