The max-age value used by the default HSTS header is no longer correct (

#121)

* Updated the OWASP recommended HSTS max-age value.

* Removed nuspec file as it's no longer needed.

* Removed old logos

* Removed unnecessary using strings across codebase

* Upped minor version number

* Updated changelog

OwaspHeaders.Core.Tests/CustomHeaders/CacheControlHeaderOptionsTests.cs

@@ -2,7 +2,6 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using Xunit;
 

OwaspHeaders.Core.Tests/CustomHeaders/ContentSecurityPolicyOptionsTests.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Enums;
 using OwaspHeaders.Core.Extensions;
 using Xunit;

OwaspHeaders.Core.Tests/CustomHeaders/CrossOriginOptionsTests.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using OwaspHeaders.Core.Models;
 using Xunit;

OwaspHeaders.Core.Tests/CustomHeaders/ExpectCtOptionsTests.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using Xunit;
 

OwaspHeaders.Core.Tests/CustomHeaders/PermittedCrossDomainPoliciesOptionsTests.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using Xunit;
 

OwaspHeaders.Core.Tests/CustomHeaders/ReferrerPolicyOptionsTests.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using Xunit;
 

OwaspHeaders.Core.Tests/CustomHeaders/SecureHeadersTests.cs

@@ -2,7 +2,6 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Models;
 using Xunit;
 

OwaspHeaders.Core.Tests/CustomHeaders/StrictTransportSecurityOptionsTests.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using Xunit;
 
@@ -21,7 +20,7 @@ public async Task When_UseHstsCalled_Header_Is_Present()
             // assert
             Assert.True(headerPresentConfig.UseHsts);
             Assert.True(_context.Response.Headers.ContainsKey(Constants.StrictTransportSecurityHeaderName));
-            Assert.Equal("max-age=63072000;includeSubDomains",
+            Assert.Equal("max-age=31536000;includeSubDomains",
                 _context.Response.Headers[Constants.StrictTransportSecurityHeaderName]);
         }
 

OwaspHeaders.Core.Tests/CustomHeaders/XContextTypeOptionsTests.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using Xunit;
 

OwaspHeaders.Core.Tests/CustomHeaders/XFrameOptionsTests.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using Xunit;
 

OwaspHeaders.Core.Tests/CustomHeaders/XRemovePoweredByOptions.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using Xunit;
 

OwaspHeaders.Core.Tests/CustomHeaders/XssProtectionOptionTests.cs

@@ -1,5 +1,4 @@
 using System.Threading.Tasks;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Extensions;
 using Xunit;
 

OwaspHeaders.Core.Tests/RegressionTests/CspRegressionTests.cs

@@ -4,7 +4,6 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
-using OwaspHeaders.Core;
 using OwaspHeaders.Core.Enums;
 using OwaspHeaders.Core.Extensions;
 using OwaspHeaders.Core.Models;

README-NuGet.md

@@ -35,7 +35,7 @@ The following is an example of the response headers from version 9.0.0 (taken on
  content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests; 
  cross-origin-resource-policy: same-origin 
  referrer-policy: no-referrer 
- strict-transport-security: max-age=63072000;includeSubDomains 
+ strict-transport-security: max-age=31536000;includeSubDomains 
  x-content-type-options: nosniff 
  x-frame-options: DENY 
  x-permitted-cross-domain-policies: none; 

README.md

@@ -49,7 +49,7 @@ The following is an example of the response headers from version 9.0.0 (taken on
  content-security-policy: script-src 'self';object-src 'self';block-all-mixed-content;upgrade-insecure-requests; 
  cross-origin-resource-policy: same-origin 
  referrer-policy: no-referrer 
- strict-transport-security: max-age=63072000;includeSubDomains 
+ strict-transport-security: max-age=31536000;includeSubDomains 
  x-content-type-options: nosniff 
  x-frame-options: DENY 
  x-permitted-cross-domain-policies: none; 

changelog.md

@@ -22,6 +22,10 @@ This version dropped support for .NET 6 and .NET 7, as they are no longer suppor
 
 All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.
 
+#### Version 9.1
+
+The `max-age` value for the Strict-Transport-Security (HSTS) header was updated to the OWASP recommended value of 31536000 (365 days).
+
 ### Version 8
 
 This version dropped support for support for ASP .NET Core on .NET Framework workflows. This means that, from version 8 onwards, this package will no longer with with .NET Framework workloads. This decision was made as Microsoft have dropped support for ASP .NET Core on .NET Framework workloads. This can be seen in the ASP .NET Core support documentation [here](https://dotnet.microsoft.com/en-us/platform/support/policy/aspnet#dotnet-core)

docs/index.md

@@ -35,7 +35,7 @@ The following is an example of the response headers from version 9.0.0 (taken on
 
 ```plaintext
 Cache-Control: max-age=31536000;private
-Strict-Transport-Security: max-age=63072000;includeSubDomains
+Strict-Transport-Security: max-age=31536000;includeSubDomains
 X-Frame-Options: DENY
 X-XSS-Protection: 0
 X-Content-Type-Options: nosniff

src/Extensions/SecureHeadersMiddlewareBuilder.cs

@@ -45,7 +45,7 @@ public static SecureHeadersMiddlewareConfiguration CreateBuilder()
         /// </remarks>
         public static SecureHeadersMiddlewareConfiguration UseHsts
             (this SecureHeadersMiddlewareConfiguration config,
-                int maxAge = 63072000, bool includeSubDomains = true)
+                int maxAge = 31536000, bool includeSubDomains = true)
         {
             config.UseHsts = true;
             config.HstsConfiguration = new HstsConfiguration(maxAge, includeSubDomains);

src/OwaspHeaders.Core.csproj

@@ -8,7 +8,7 @@
 
     <!-- NuGet metadata -->
     <PackageId>OwaspHeaders.Core</PackageId>
-    <Version>9.0.1</Version>
+    <Version>9.1.1</Version>
     <Authors>Jamie Taylor</Authors>
     <Company>RJJ Software Ltd</Company>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>