Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v2.11.1 #1442

Merged
merged 71 commits into from
Nov 3, 2024
Merged

v2.11.1 #1442

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
71 commits
Select commit Hold shift + click to select a range
ef8cac1
Add new e 'Check for Duplicate Function Definitions test
mdaneri Oct 1, 2024
886c722
Update _.Tests.ps1
mdaneri Oct 1, 2024
ce2f17e
fix for #1406
mdaneri Oct 7, 2024
7f7b385
added some comments
mdaneri Oct 7, 2024
86fd8b4
Exclude ./auth from the test
mdaneri Oct 7, 2024
6bd534d
Adds new/missing CSP parmeters in security headers
Badgerati Oct 7, 2024
b884b79
Update Caching.ps1
willgladstone Oct 10, 2024
e828c0d
fix for pwsh installer location changing
Badgerati Oct 11, 2024
ed958c9
call new pwsh install url first, then old
Badgerati Oct 11, 2024
9b2b8db
adds a CspReportOnly switch on Set-PodeSecurity
Badgerati Oct 11, 2024
7097bc3
Update Caching.ps1
willgladstone Oct 11, 2024
b624cd8
Update Helpers.ps1
mdaneri Oct 15, 2024
7674138
Pester test
mdaneri Oct 15, 2024
03e56b5
fixes
mdaneri Oct 15, 2024
2125c9b
Update OpenApi.Tests.ps1
mdaneri Oct 15, 2024
6e1ff3b
add localization and fix test
mdaneri Oct 15, 2024
da691d2
Update OpenApi-TuttiFrutti.ps1
mdaneri Oct 15, 2024
bd7e284
Merge pull request #1413 from willgladstone/bug-1412-patch-1
Badgerati Oct 16, 2024
326c777
Merge branch 'develop' into missing-csp-params
Badgerati Oct 16, 2024
696cc43
Merge pull request #1409 from Badgerati/missing-csp-params
Badgerati Oct 16, 2024
396192f
Merge remote-tracking branch 'upstream/develop' into issue-1419
mdaneri Oct 16, 2024
74c7dc9
Merge remote-tracking branch 'upstream/develop' into issue-1417
mdaneri Oct 16, 2024
bb46fe4
Merge remote-tracking branch 'upstream/develop' into issue-1406
mdaneri Oct 16, 2024
3060891
Merge remote-tracking branch 'upstream/develop' into Duplicate-Functi…
mdaneri Oct 16, 2024
b392154
fix ConvertTo-PodeOARoutePath
mdaneri Oct 18, 2024
d8606d3
remove
mdaneri Oct 18, 2024
a181172
Merge pull request #1424 from mdaneri/remove-duplicated-functions
Badgerati Oct 18, 2024
417d9cb
Merge branch 'develop' into issue--1422
mdaneri Oct 19, 2024
3843da0
Merge branch 'develop' into issue-1417
mdaneri Oct 19, 2024
56e34f5
Merge pull request #1423 from mdaneri/issue--1422
Badgerati Oct 20, 2024
c6b903c
Merge branch 'develop' into issue-1419
Badgerati Oct 20, 2024
1050ca9
Merge branch 'develop' into Duplicate-Function-test
Badgerati Oct 20, 2024
f7c30a1
Merge pull request #1404 from mdaneri/Duplicate-Function-test
Badgerati Oct 20, 2024
10f5a8b
Merge branch 'develop' into issue-1406
Badgerati Oct 20, 2024
0411580
Merge pull request #1407 from mdaneri/issue-1406
Badgerati Oct 20, 2024
55c4a1c
Merge remote-tracking branch 'upstream/develop' into issue-1419
mdaneri Oct 20, 2024
18ac0b4
Merge remote-tracking branch 'upstream/develop' into issue-1417
mdaneri Oct 20, 2024
22db5c5
Merge pull request #1418 from mdaneri/issue-1417
Badgerati Oct 21, 2024
1ae8148
Merge branch 'develop' into issue-1419
Badgerati Oct 21, 2024
860aa58
Merge pull request #1420 from mdaneri/issue-1419
Badgerati Oct 21, 2024
d2d6a00
#1408: Fixes collection modified error when cleaning up sessions
Badgerati Oct 21, 2024
79ec468
Merge pull request #1427 from Badgerati/Issue-1408
Badgerati Oct 21, 2024
c948542
#1426: migrates a couple stream funcs to .NET, and removes the Stream…
Badgerati Oct 22, 2024
da0dda1
OpenAPI fixes and improvement
mdaneri Oct 23, 2024
4e4551e
cleanup
mdaneri Oct 23, 2024
9b047d4
Update OpenApi.Tests.ps1
mdaneri Oct 23, 2024
0b08d67
Merge pull request #1428 from Badgerati/Issue-1426
Badgerati Oct 23, 2024
41a8a31
Merge branch 'develop' into openApi-fixes
Badgerati Oct 23, 2024
c8e23fb
Merge pull request #1430 from mdaneri/openApi-fixes
Badgerati Oct 23, 2024
e52dd7b
Fix file logging cleanup does not work
DoLearnWhileAlive Oct 24, 2024
5767392
add workaround for #1432
mdaneri Oct 26, 2024
8018e0a
add workaround for #1432
mdaneri Oct 26, 2024
bc25f8c
Add additional tests
mdaneri Oct 26, 2024
5005e21
fix error log on console
mdaneri Oct 26, 2024
0e10fec
add comments
mdaneri Oct 26, 2024
09d9ad0
Merge pull request #1434 from DoLearnWhileAlive/fix/1433
Badgerati Oct 27, 2024
f4b8e69
Merge remote-tracking branch 'upstream/develop' into issue-1432
mdaneri Oct 27, 2024
7d93aa9
Merge remote-tracking branch 'upstream/develop' into issue-1437
mdaneri Oct 27, 2024
2113617
changed -not to !
mdaneri Oct 27, 2024
636a06c
Update PodeSocket.cs
mdaneri Oct 27, 2024
dc646a8
Merge pull request #1436 from mdaneri/issue-1432
Badgerati Oct 28, 2024
c674336
Merge branch 'develop' into issue-1437
Badgerati Oct 28, 2024
c47ad6f
Merge pull request #1438 from mdaneri/issue-1437
Badgerati Oct 28, 2024
5aea2e6
#1435: dont setup the caching hk timer in serverless
Badgerati Oct 29, 2024
3aeaa84
Merge branch 'develop' into Issue-1435
Badgerati Oct 29, 2024
308035d
Merge pull request #1439 from Badgerati/Issue-1435
Badgerati Oct 30, 2024
30d10c1
#1411: refactor request stream open exceptions and logging
Badgerati Nov 2, 2024
0a42465
#1411: add back IsOpened check, remove now unneeded SslError state
Badgerati Nov 2, 2024
73f6b00
Merge pull request #1440 from Badgerati/Issue-1411
Badgerati Nov 2, 2024
8363195
adds v2.11.1 release notes
Badgerati Nov 2, 2024
a37f33b
Merge pull request #1441 from Badgerati/release-prep
Badgerati Nov 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 36 additions & 33 deletions docs/Tutorials/Middleware/Types/Security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

The security headers middleware runs at the beginning of every request, and if any security headers are defined they will be added onto the response.

The following headers are currently supported, but you can add custom header values:
The following headers are currently supported, but you can add custom header values via [`Add-PodeSecurityHeader`](../../../../Functions/Security/Add-PodeSecurityHeader) for any missing:

* Access-Control-Max-Age
* Access-Control-Allow-Methods
Expand All @@ -13,6 +13,7 @@ The following headers are currently supported, but you can add custom header val
* Cross-Origin-Opener-Policy
* Strict-Transport-Security
* Content-Security-Policy
* Content-Security-Policy-Report-Only
* X-XSS-Protection
* Permissions-Policy
* X-Frame-Options
Expand All @@ -37,44 +38,44 @@ To remove all configured values, use [`Remove-PodeSecurity`](../../../../Functio

The following values are used for each header when the `Simple` type is supplied:

| Name | Value |
| ---- | ----- |
| Access-Control-Max-Age | 7200 |
| Access-Control-Allow-Origin | * |
| Access-Control-Allow-Methods | * |
| Access-Control-Allow-Headers | * |
| Cross-Origin-Embedder-Policy | require-corp |
| Cross-Origin-Resource-Policy | same-origin |
| Cross-Origin-Opener-Policy | same-origin |
| Content-Security-Policy | default-src 'self' |
| X-XSS-Protection | 0 |
| Permissions-Policy | accelerometer=(), autoplay=(self), camera=(), display-capture=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(), payment=(), picture-in-picture=(self), sync-xhr=(), usb=() |
| X-Frame-Options | SAMEORIGIN |
| X-Content-Type-Options | nosniff |
| Referred-Policy | strict-origin |
| Name | Value |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Access-Control-Max-Age | 7200 |
| Access-Control-Allow-Origin | * |
| Access-Control-Allow-Methods | * |
| Access-Control-Allow-Headers | * |
| Cross-Origin-Embedder-Policy | require-corp |
| Cross-Origin-Resource-Policy | same-origin |
| Cross-Origin-Opener-Policy | same-origin |
| Content-Security-Policy | default-src 'self' |
| X-XSS-Protection | 0 |
| Permissions-Policy | accelerometer=(), autoplay=(self), camera=(), display-capture=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(), payment=(), picture-in-picture=(self), sync-xhr=(), usb=() |
| X-Frame-Options | SAMEORIGIN |
| X-Content-Type-Options | nosniff |
| Referred-Policy | strict-origin |

The Server header is also hidden.

### Strict

The following values are used for each header when the `Strict` type is supplied:

| Name | Value |
| ---- | ----- |
| Access-Control-Max-Age | 7200 |
| Access-Control-Allow-Methods | * |
| Access-Control-Allow-Origin | * |
| Access-Control-Allow-Headers | * |
| Cross-Origin-Embedder-Policy | require-corp |
| Cross-Origin-Resource-Policy | same-origin |
| Cross-Origin-Opener-Policy | same-origin |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| Content-Security-Policy | default-src 'self' |
| X-XSS-Protection | 0 |
| Permissions-Policy | accelerometer=(), autoplay=(self), camera=(), display-capture=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(), payment=(), picture-in-picture=(self), sync-xhr=(), usb=() |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Referred-Policy | no-referrer |
| Name | Value |
| ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Access-Control-Max-Age | 7200 |
| Access-Control-Allow-Methods | * |
| Access-Control-Allow-Origin | * |
| Access-Control-Allow-Headers | * |
| Cross-Origin-Embedder-Policy | require-corp |
| Cross-Origin-Resource-Policy | same-origin |
| Cross-Origin-Opener-Policy | same-origin |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| Content-Security-Policy | default-src 'self' |
| X-XSS-Protection | 0 |
| Permissions-Policy | accelerometer=(), autoplay=(self), camera=(), display-capture=(self), fullscreen=(self), geolocation=(self), gyroscope=(self), magnetometer=(self), microphone=(), payment=(), picture-in-picture=(self), sync-xhr=(), usb=() |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Referred-Policy | no-referrer |

The Server header is also hidden.

Expand Down Expand Up @@ -153,12 +154,14 @@ The following functions exist:
* [`Set-PodeSecurityContentSecurityPolicy`](../../../../Functions/Security/Set-PodeSecurityContentSecurityPolicy)
* [`Remove-PodeSecurityContentSecurityPolicy`](../../../../Functions/Security/Remove-PodeSecurityContentSecurityPolicy)

The `Content-Security-Policy` header controls a whitelist of approved sourced from which the browser can load resoures. For example:
The `Content-Security-Policy` header controls a whitelist of approved sources from which the browser can load resources. For example:

```powershell
Set-PodeSecurityContentSecurityPolicy -Default 'self' -Image 'self', 'data'
```

By supplying the `-ReportOnly` switch, the `Content-Security-Policy-Report-Only` header will be used instead.

### Permissions Policy

The following functions exist:
Expand Down
Loading