Stott Security 3.0.0

v3.0

This Release introduces support for the Permissions-Policy and includes a host of quality of life updates and fixes.

Features

• #135
  • Adds Support configuring the Permissions-Policy Header.
  • The Permission-Policy header can be activated or deactivated as a whole.
  • The Permission Policy screen includes full filtering ability to find all directives for a specific source or to filter sources by enabled state.
  • All changes to Permission Policy directives are audited.
  • The Settings Import and Export tools have been updated to support migrating of this functionality between environments.
• #214
  • Adds a warning around the deprecated nature of the X-XSS-Protection header. This header is known to cause vulnerabilities in some older browsers, newer browsers no longer respond to this header.
• #252
  • Adds support for 'inline-speculation-rules' withing the Content Security Policy.
• #253
  • Restrict allowed directives for specific special sources within the Content Security Policy. e.g. 'unsafe-inline' is now restricted to script and style based directives.
• #254
  • Update default directives to use 'self' with default-src instead of 'none'
• #262
  • Updated the Import Settings tool to allow it to import a section of the settings. This is based on the presence or absence of the CSP, CORS, Response Headers or Permissions Policy within the settings export file.
• #264
  • Add support for .NET 9
• #267
  • Removed the Stott Security Gadget from the CMS Editor Interface.
  • This component was read-only and offers no value for most implementations while creating friction in some installations.
  • A replacement feature is currently in consideration.
• #273
  • Remove obsolete methods:
    • SecurityServiceExtensions.AddCspManager()
    • SecurityServiceExtensions.UseCspManager()
  • Remove CspReportingViewComponent

Bugs

• #208
  • Correct an Issue with the Menu Provider that was causing some builds to activate the NONCE on admin screens
  • Correct the landing page for the Stott Security module to render the NONCE attribute on style and script tags.
• #265
  • Update the Internal Reporting endpoint to handle single reports or an array of reports.
  • This is in light of some browsers such as MacOs Safari sending Report-Uri style error reports to the Report-To endpoint.

Stott Security 2.8.2

Hotfix v2.8.2

• #249
  • Update Nonce Provider so that it generates a value when any content type is in the content render context.
    • This was previously returning a value only when a PageData object was in the content render context.
      • This was to handle the CMS backend not supporting Nonce attributes.
      • This prevented the use of the Nonce Provider within the render context for a block.
    • This change supports updating the content of an Embed Block to add a nonce to script and style tags.

Full Changelog: v2.8.1...v2.8.2

Stott Security 2.8.1

Bugs

#245
Add a sort order to the Nonce Tag Helper so that both it and the .NET ScriptTagHelper can both operate on the same script tag.

Full Changelog: v2.8.0...v2.8.1

Stott Security 2.8

v2.8

This release is now available on the following nuget feeds:

nuget.org
nuget.optimizely.com
api.nuget.optimizely.com

Features

• #232
  • Rebuilt the menus to utilize the standard Optimizely Menus. This will create a more consistent browsing journey moving between sections of the module.
• #235
  • Increase usage of caching when loading configuration to improve performance.
  • Use Lazy Loaded DbContext so that the context is not activated or injected until it is absolutely required.

Bugs

• #230
  • Updated the dependencies for Microsoft.EntityframeworkCore.SqlServer to target 7.x.x+
    • To support breaking changes for Entity Framework moving from v6 to v7 within .NET 6.0
  • Updated the dependencies for EPiServer.CMS.UI.Core to target 12.27.0+
• #237
  • Updated the CMS Gadget to be compatible with Opti Id
  • A custom implementation of IFrameComponentAttribute has been created which will extract the roles from the security profile to ensure only users that have access to Stott Security can access the gadget.

Stott Security 2.7

Version 2.7

Features

• #194
  • Added a new CTA to the Expose Headers for CORS. When clicked this will add the following Expose Headers:
    • x-epi-contentguid
    • x-epi-branch
    • x-epi-siteid
    • x-epi-startpageguid
    • x-epi-remainingroute
    • x-epi-contextmode
• #210
  • Added a new CMS Editor Gadget that will show the security headers that will be generated for any content page.
  • The gadget will show if the CSP can be extended and if it is being extended for the page being viewed.
    • See Extending the CSP for a single content page.
  • If the content type selected is not a page, then the global headers will be shown in the gadget.
• #224
  • The order of directive name and description have been changed so that the directive name is displayed first on the following components:
    • The CSP Sources List
    • The CSP Source Modal
  • This has been done following in-person observations of user interactions with the UI.

Bugs

• #209
  • Corrected an issue where Button text would wrap mid-word on the CSP Violation tab.
• #218
  • Corrected security headers to be returned for all HTTP methods and not just GET methods.
• #222
  • Corrected NONCE generation within the CSP so that it is only created for script-src, script-src-elem, style-src and style-src-elem
  • There is currently no guidance on how to handle NONCE within JavaScript attributes and Style attributes on HTML elements. As such, the browsers are not handling NONCE within script-src-attr or style-src-attr.

Stott Security 2.6

Version 2.6

This update has been published to api.nuget.optimizely.com and nuget.org.

Features

• #196
  • Added a new Tools tab
  • Added the ability to export all settings as a JSON file from the Tools tab.
  • Added the ability to validate and import all settings as a JSON file from the Tools tab.
    • This action will be fully audited.

Bugs

• #202
  • Cleansed violation data when it is submitted via the report-uri or report-to endpoints.
    • The violating source is limited to 255 characters. If the Host and Path exceeds this limit, we will now reduce the reported URL to just the Host. If this still exceeds the limit, we will discard the report to protect the database.
• #204
  • Increased overall cache duration of all security headers from 1 hour to 12 hours.
  • Added caching to the CSP Settings Service to reduce the number of calls to database.
    • Updated the Allow List Service to use the CSP Settings Service instead of the repository so that it can now benefit from caching of the CSP Settings.
  • Added lazy loading of dependencies to the following common services to avoid creating a DbContext unless absolutely required:
    • CSP Violation Report Service
    • CSP Settings Service
    • CORS Policy Provider
    • Header Compilation Service
  • Observed Improvements over a limited test run:
    • Above 95% reduction in the creation of DbContexts.
    • Above 97% reduction in the number of requests to get settings from the database.
    • It is expected that these gains will be higher in a production environment.

Stott Security 2.5

Version 2.5

This update has been published to api.nuget.optimizely.com and nuget.org.

Features

• #184
  • Added the ability to on/off the use of the Internal CSP Reporting endpoints.
    • If the internal CSP Reporting functionality is disabled. These endpoints will return a 200 response stating no data has been retained.
  • Added the ability to define external CSP Reporting endpoints.
    • These will validate your endpoint responds correctly to a CSP report.
  • Updated the Violations tab to show if the internal reporting mechanism is disabled or not.
  • Created a new URL component for use for the new External Reporting URLs and updated the External Allowlist URL property to use this new component.

Bugs

• #197
  • If you had code that added the Cache-Control header that executed before the retrieval of JS and CSS artefacts for the admin page, then these would fail to load due to a duplicate header error.
  • Refactored logic for adding or updating headers to be more reusable.
  • Corrected the endpoint for getting the JS & CSS for the administration endpoint to use the new safer logic.

Stott Security 2.4.2.0

Version 2.4.2

Bug Fixes

• #190
  • Correct source validation to allow for the ws: and wss: schema to be added.
  • Correct source validation to allow for short urls with 2 letter domain suffixes (e.g. .io or .co)

Stott Security 2.4.1.0

Version 2.4.1

Bug Fixes

• #186
  • Added specific Http Get attributes to the Header Preview API.
  • Contributed by @adayinthelifeofapro

New Contributors

• @adayinthelifeofapro made their first contribution in #187

Stott Security 2.4.0.0

Version 2.4.0

This update has been published to nuget.org.

There are no functional changes in this release. Instead this release adds multiple framework support for both .NET 6.0 and .NET 8.0. This was introduced due to a compatibility issue with Entity Framework Migrations in .NET 8.0 using Microsoft.EntityFrameworkCore.SqlServer version 8.0.1 or later

.NET 6.0 will reference version 6.0.6 of Microsoft.EntityFrameworkCore.SqlServer
.NET 8.0 will reference version 8.0.1 of Microsoft.EntityFrameworkCore.SqlServer