Skip to content

Commit

Permalink
Added section to index about the list of supported headers (#156)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jamie-taylor-rjj
jamie-taylor-rjj authored Dec 27, 2024
1 parent b1cf862 commit 96cdaac
Showing 1 changed file with 27 additions and 0 deletions.
27 changes: 27 additions & 0 deletions docs/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,32 @@ The above example contains only the headers added by the Middleware.

For a more detailed explanation of how to use the middleware, including how to configure it, see [Configuration](./configuration).

## Included Headers

This project is a work-in-progress, and headers will be added inline with Owasp recommendations. PRs are welcome, and you can read about how to contribute [here](./Contributing).

The following list displays the status of all the current (as of Dec 27th, 2024) recommended headers:

- [ :white_check_mark: ] Strict-Transport-Security
- [ :white_check_mark: ] X-Frame-Options
- [ :white_check_mark: ] X-Content-Type-Options
- [ :white_check_mark: ] Content-Security-Policy
- [ :white_check_mark: ] X-Permitted-Cross-Domain-Policies
- [ :white_check_mark: ] Referrer-Policy
- [ :white_check_mark: ] Cross-Origin-Resource-Policy
- [ :white_check_mark: ] Cache-Control
- [ :negative_squared_cross: ] Clear-Site-Data
- [ :negative_squared_cross: ] Cross-Origin-Opener-Policy
- [ :negative_squared_cross: ] Cross-Origin-Embedder-Policy
- [ :negative_squared_cross: ] Permissions-Policy

Key:

- :white_check_mark: means that the header, recommended value, and all of it's options are implemented
- :negative_squared_cross: means the header is not implemented at all.

See the [OWASP Secure Headers List] for the most up-to-date list of recommended headers.

## Server Header: A Warning

The default configuration for this middleware removes the `X-Powered-By` header, as this can help malicious users to use targeted attacks for specific server infrastructure. However, since the `Server` header is added by the reverse proxy used when hosting an ASP .NET Core application, removing this header is out of scope for this middleware.
Expand Down Expand Up @@ -99,3 +125,4 @@ The `web.config` file will need to be copied to the server when the application
[OWASP Secure Headers]: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
[Configuration]: https://gaprogman.github.io/OwaspHeaders.Core/configuration/
[this answer on ServerFault]: https://serverfault.com/a/1020784
[OWASP Secure Headers List]: https://owasp.org/www-project-secure-headers/#div-headers

0 comments on commit 96cdaac

Please sign in to comment.