diff --git a/changelog.md b/changelog.md
index ca8bf1b..a3294d2 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,6 +1,6 @@
# Changelog
-This changelog represents all of the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.
+This changelog represents all the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.
## TL;DR
@@ -22,6 +22,10 @@ This version dropped support for .NET 6 and .NET 7, as they are no longer suppor
All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.
+#### Version 9.6.x
+
+This version saw the addition of a number of _very_ small changes to the middleware's `Invoke` method which aimed to increase efficiency, reduce working memory usage, and increase execution speed.
+
#### Version 9.5.x
This version saw the addition of attestation generation on both a per PR-build and Release basis. See the [Attestations](https://gaprogman.github.io/OwaspHeaders.Core/attestations) page of the documentation to read about how you can verify the attestations per build or release.
diff --git a/docs/changelog.md b/docs/changelog.md
index 1f40d29..4428943 100644
--- a/docs/changelog.md
+++ b/docs/changelog.md
@@ -6,7 +6,7 @@ nav_order: 7
# Changelog
-This changelog represents all of the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.
+This changelog represents all the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.
## TL;DR
@@ -28,6 +28,9 @@ This version dropped support for .NET 6 and .NET 7, as they are no longer suppor
All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.
+#### Version 9.6.x
+
+This version saw the addition of a number of _very_ small changes to the middleware's `Invoke` method which aimed to increase efficiency, reduce working memory usage, and increase execution speed.
#### Version 9.5.x
This version saw the addition of attestation generation on both a per PR-build and Release basis. See the [Attestations](https://gaprogman.github.io/OwaspHeaders.Core/attestations) page of the documentation to read about how you can verify the attestations per build or release.
diff --git a/src/OwaspHeaders.Core.csproj b/src/OwaspHeaders.Core.csproj
index 2f13e2a..c59532a 100644
--- a/src/OwaspHeaders.Core.csproj
+++ b/src/OwaspHeaders.Core.csproj
@@ -8,7 +8,7 @@
OwaspHeaders.Core
- 9.6.0
+ 9.6.1
Jamie Taylor
RJJ Software Ltd
MIT
diff --git a/src/SecureHeadersMiddleware.cs b/src/SecureHeadersMiddleware.cs
index e251312..94e1dca 100644
--- a/src/SecureHeadersMiddleware.cs
+++ b/src/SecureHeadersMiddleware.cs
@@ -7,143 +7,143 @@ namespace OwaspHeaders.Core;
/// A middleware for injecting OWASP recommended headers into a
/// HTTP Request
///
-public class SecureHeadersMiddleware()
+public class SecureHeadersMiddleware
{
-private string _calculatedContentSecurityPolicy;
-private readonly Dictionary _headers;
-private readonly RequestDelegate _next;
-private readonly SecureHeadersMiddlewareConfiguration _config;
+ private string _calculatedContentSecurityPolicy;
+ private readonly Dictionary _headers;
+ private readonly RequestDelegate _next;
+ private readonly SecureHeadersMiddlewareConfiguration _config;
-public SecureHeadersMiddleware(RequestDelegate next, SecureHeadersMiddlewareConfiguration config) : this()
-{
- _config = config;
- _next = next;
- _headers = new Dictionary();
-}
-
-///
-/// The main task of the middleware. This will be invoked whenever
-/// the middleware fires
-///
-/// The for the current request or response
-///
-public async Task InvokeAsync(HttpContext httpContext)
-{
- if (_config == null)
+ public SecureHeadersMiddleware(RequestDelegate next, SecureHeadersMiddlewareConfiguration config)
{
- throw new ArgumentException(
- $"Expected an instance of the {nameof(SecureHeadersMiddlewareConfiguration)} object.");
+ _config = config;
+ _next = next;
+ _headers = new Dictionary();
}
- if (!RequestShouldBeIgnored(httpContext.Request.Path))
+ ///
+ /// The main task of the middleware. This will be invoked whenever
+ /// the middleware fires
+ ///
+ /// The for the current request or response
+ ///
+ public async Task InvokeAsync(HttpContext httpContext)
{
- if (_headers.Count == 0)
+ if (_config == null)
{
- GenerateRelevantHeaders();
+ throw new ArgumentException(
+ $"Expected an instance of the {nameof(SecureHeadersMiddlewareConfiguration)} object.");
}
- foreach (var (key, value) in _headers)
+ if (!RequestShouldBeIgnored(httpContext.Request.Path))
{
- httpContext.TryAddHeader(key, value);
+ if (_headers.Count == 0)
+ {
+ GenerateRelevantHeaders();
+ }
+
+ foreach (var (key, value) in _headers)
+ {
+ httpContext.TryAddHeader(key, value);
+ }
}
- }
- // Call the next middleware in the chain
- await _next(httpContext);
-}
-
-private void GenerateRelevantHeaders()
-{
- if (_config.UseHsts)
- {
- _headers.TryAdd(Constants.StrictTransportSecurityHeaderName,
- _config.HstsConfiguration.BuildHeaderValue());
+ // Call the next middleware in the chain
+ await _next(httpContext);
}
- if (_config.UseXFrameOptions)
+ private void GenerateRelevantHeaders()
{
- _headers.TryAdd(Constants.XFrameOptionsHeaderName,
- _config.XFrameOptionsConfiguration.BuildHeaderValue());
- }
+ if (_config.UseHsts)
+ {
+ _headers.TryAdd(Constants.StrictTransportSecurityHeaderName,
+ _config.HstsConfiguration.BuildHeaderValue());
+ }
- if (_config.UseXssProtection)
- {
- _headers.TryAdd(Constants.XssProtectionHeaderName,
- _config.XssConfiguration.BuildHeaderValue());
- }
+ if (_config.UseXFrameOptions)
+ {
+ _headers.TryAdd(Constants.XFrameOptionsHeaderName,
+ _config.XFrameOptionsConfiguration.BuildHeaderValue());
+ }
- if (_config.UseXContentTypeOptions)
- {
- _headers.TryAdd(Constants.XContentTypeOptionsHeaderName, Constants.XContentTypeOptionsValue);
- }
+ if (_config.UseXssProtection)
+ {
+ _headers.TryAdd(Constants.XssProtectionHeaderName,
+ _config.XssConfiguration.BuildHeaderValue());
+ }
- if (_config.UseContentSecurityPolicyReportOnly)
- {
- if (string.IsNullOrWhiteSpace(_calculatedContentSecurityPolicy))
+ if (_config.UseXContentTypeOptions)
{
- _calculatedContentSecurityPolicy =
- _config.ContentSecurityPolicyReportOnlyConfiguration.BuildHeaderValue();
+ _headers.TryAdd(Constants.XContentTypeOptionsHeaderName, Constants.XContentTypeOptionsValue);
}
- _headers.TryAdd(Constants.ContentSecurityPolicyReportOnlyHeaderName,
- _calculatedContentSecurityPolicy);
- }
- else if (_config.UseContentSecurityPolicy)
- {
- if (string.IsNullOrWhiteSpace(_calculatedContentSecurityPolicy))
+ if (_config.UseContentSecurityPolicyReportOnly)
{
- _calculatedContentSecurityPolicy = _config.ContentSecurityPolicyConfiguration.BuildHeaderValue();
+ if (string.IsNullOrWhiteSpace(_calculatedContentSecurityPolicy))
+ {
+ _calculatedContentSecurityPolicy =
+ _config.ContentSecurityPolicyReportOnlyConfiguration.BuildHeaderValue();
+ }
+
+ _headers.TryAdd(Constants.ContentSecurityPolicyReportOnlyHeaderName,
+ _calculatedContentSecurityPolicy);
}
+ else if (_config.UseContentSecurityPolicy)
+ {
+ if (string.IsNullOrWhiteSpace(_calculatedContentSecurityPolicy))
+ {
+ _calculatedContentSecurityPolicy = _config.ContentSecurityPolicyConfiguration.BuildHeaderValue();
+ }
- _headers.TryAdd(Constants.ContentSecurityPolicyHeaderName,
- _calculatedContentSecurityPolicy);
- }
+ _headers.TryAdd(Constants.ContentSecurityPolicyHeaderName,
+ _calculatedContentSecurityPolicy);
+ }
- if (_config.UseXContentSecurityPolicy)
- {
- _headers.TryAdd(Constants.XContentSecurityPolicyHeaderName,
- _config.ContentSecurityPolicyConfiguration.BuildHeaderValue());
- }
+ if (_config.UseXContentSecurityPolicy)
+ {
+ _headers.TryAdd(Constants.XContentSecurityPolicyHeaderName,
+ _config.ContentSecurityPolicyConfiguration.BuildHeaderValue());
+ }
- if (_config.UsePermittedCrossDomainPolicy)
- {
- _headers.TryAdd(Constants.PermittedCrossDomainPoliciesHeaderName,
- _config.PermittedCrossDomainPolicyConfiguration.BuildHeaderValue());
- }
+ if (_config.UsePermittedCrossDomainPolicy)
+ {
+ _headers.TryAdd(Constants.PermittedCrossDomainPoliciesHeaderName,
+ _config.PermittedCrossDomainPolicyConfiguration.BuildHeaderValue());
+ }
- if (_config.UseReferrerPolicy)
- {
- _headers.TryAdd(Constants.ReferrerPolicyHeaderName,
- _config.ReferrerPolicy.BuildHeaderValue());
- }
+ if (_config.UseReferrerPolicy)
+ {
+ _headers.TryAdd(Constants.ReferrerPolicyHeaderName,
+ _config.ReferrerPolicy.BuildHeaderValue());
+ }
- if (_config.UseExpectCt)
- {
- _headers.TryAdd(Constants.ExpectCtHeaderName,
- _config.ExpectCt.BuildHeaderValue());
- }
+ if (_config.UseExpectCt)
+ {
+ _headers.TryAdd(Constants.ExpectCtHeaderName,
+ _config.ExpectCt.BuildHeaderValue());
+ }
- if (_config.UseCacheControl)
- {
- _headers.TryAdd(Constants.CacheControlHeaderName,
- _config.CacheControl.BuildHeaderValue());
- }
+ if (_config.UseCacheControl)
+ {
+ _headers.TryAdd(Constants.CacheControlHeaderName,
+ _config.CacheControl.BuildHeaderValue());
+ }
- if (_config.UseCrossOriginResourcePolicy)
- {
- _headers.TryAdd(Constants.CrossOriginResourcePolicyHeaderName,
- _config.CrossOriginResourcePolicy.BuildHeaderValue());
+ if (_config.UseCrossOriginResourcePolicy)
+ {
+ _headers.TryAdd(Constants.CrossOriginResourcePolicyHeaderName,
+ _config.CrossOriginResourcePolicy.BuildHeaderValue());
+ }
}
-}
-private bool RequestShouldBeIgnored(PathString requestedPath)
-{
- if (_config.UrlsToIgnore.Count == 0)
+ private bool RequestShouldBeIgnored(PathString requestedPath)
{
- return false;
- }
+ if (_config.UrlsToIgnore.Count == 0)
+ {
+ return false;
+ }
- return requestedPath.HasValue &&
- _config.UrlsToIgnore.Any(url => url.Equals(requestedPath.Value!, StringComparison.InvariantCulture));
-}
+ return requestedPath.HasValue &&
+ _config.UrlsToIgnore.Any(url => url.Equals(requestedPath.Value!, StringComparison.InvariantCulture));
+ }
}