Stott Security 7.0.1

7.0.1

Bugs

• #371
  • Remove UI Dependency on the Axios package and replace it with leaner direct JavaScript code.

Stott Security 7.0.0

V7.0.0

Features

• #103
  • Refactor all headers so that they can be managed on a global, application or host level
  • Permissions Policy acts on an Override basis, you can set a global configuration and inherit or override it at an application or host level.
  • Response Headers acts on an Override basis, you can set a global configuration and inherit or override it at an application or host level.
  • Content Security Policy:
    • Settings and Sandbox act on an Override basis, you can set a global configuration and inherit or override it at an application or host level.
    • Sources act on an inheritance model. When compiling the Content Security Policy, sources will be merged from the following:
      • Global Level
      • Application Level
      • Host Level
      • Page Level
• #339
  • Update the solution to target Optimizely CMS 13
  • Removed previous support for .NET 6 to .NET 9
  • Added support for .NET 10
  • Replaced Site based functionality with Application based functionality.
    • Due to the conflict here and ongoing support for both CMS 12 and CMS 13, these versions use different tables within the database requiring a reconfiguration when upgrading from CMS 12 to CMS 13.

Stott Security 5.0

Stott Security 5.0.0

Features:

• #337
• #346
• #347
• #348

Stott Security 4.0.0

Stott Security 4.0.0

Features

• #328
• #323
• #316
• #271

Bugs

• #318
• #330

Stott Security 3.2.1

#319 Add Antiforgery token to prevent errors in the CMS UI with the Optimizely Notifications service.

Stott Security 3.2

v3.2

This is a bug fix release which largely focuses on improving updating UID dependencies.

Bugs

• #307
  • Update dependencies versions for axios, bootstrap and react-bootstrap
  • Replace moment with date-fns
• #311
  • Correct validation for "Allow Credentials" for CORS.

Stott Security 3.1

v3.1

This is a bug fix release which largely focuses on improving Content Security Policy N-Once usage and reporting endpoints.

Bugs

• #259
  • Relax validation for Content Security Policy sources to allow for more complicated valid sources to be added.
  • Special thanks to @wpelczar for their contribution.
• #286
  • Update Content Security Policy N-Once generation to be more cryptographically secure.
  • Special thanks to @matstos for their contribution.
• #287
  • Remove prefetch-src as an available directive for the Content Security Policy.
  • Many browsers did not implement prefetch-src and so it was removed from the specification.
• #288
  • Update the report-to endpoint to respond to OPTIONS requests.
• #291
  • Change the report-to header so that the internal reporting URL is applied after headers are retrieved from cache.
  • This will mean that the report-to will be generated based on the host for the request.
• #297
  • Correct the retrieval of the N-once when the DefaultNonceProvider.cs is used in the context of a block for custom enrichment of script and style elements when manually creating HTML to render raw.
  • Code that used Optimizely's built in ClientResources module at a block level to render script and style tags on the page did not have this issue. (e.g. ClientResources.RequireScriptInline("").AtFooter();)
• #302
  • Corrected an issue where the wrong violation could be added to Content Security Policy when using the "Add CSP Entry" when violations are filtered by URL.

Stott Security 3.0.2.0

Hotfix 3.0.2

• #279
  • Apply an terminal threshold at which the CSP will not be produced. This is to prevent users being completely locked out of the system due to CloudFlares hard 16KB limit per header.
• #282
  • Remove the report-uri directive from the CSP as this is deprecated.
  • Remove the navigate-to directive from the CSP as this was specified, never implemented and was then deprecated.
  • This is to help reduce the size of the CSP

Stott Security 3.0.1.0

Hotfix 3.0.1

• #279
  • Handle large CSPs that exceed the best practice 8KB header size limit.
  • Excessive CSPs were causing browsers or even the CDN to drop the request.
    • Cloudflare, used by Optimizley DXP has a hard 16kb limit for header sizes
    • Browser support for header sizes varies from 8kb and upwards.
  • Large CSPs will now be split into multiple headers grouped by responsibility and fallback behaviours
• #272
  • Add validation to prevent Wild Card Origins being used with Credentials as this is an invalid CORS policy can can break the site

Stott Security 3.0.0

v3.0

This Release introduces support for the Permissions-Policy and includes a host of quality of life updates and fixes.

Features

• #135
  • Adds Support configuring the Permissions-Policy Header.
  • The Permission-Policy header can be activated or deactivated as a whole.
  • The Permission Policy screen includes full filtering ability to find all directives for a specific source or to filter sources by enabled state.
  • All changes to Permission Policy directives are audited.
  • The Settings Import and Export tools have been updated to support migrating of this functionality between environments.
• #214
  • Adds a warning around the deprecated nature of the X-XSS-Protection header. This header is known to cause vulnerabilities in some older browsers, newer browsers no longer respond to this header.
• #252
  • Adds support for 'inline-speculation-rules' withing the Content Security Policy.
• #253
  • Restrict allowed directives for specific special sources within the Content Security Policy. e.g. 'unsafe-inline' is now restricted to script and style based directives.
• #254
  • Update default directives to use 'self' with default-src instead of 'none'
• #262
  • Updated the Import Settings tool to allow it to import a section of the settings. This is based on the presence or absence of the CSP, CORS, Response Headers or Permissions Policy within the settings export file.
• #264
  • Add support for .NET 9
• #267
  • Removed the Stott Security Gadget from the CMS Editor Interface.
  • This component was read-only and offers no value for most implementations while creating friction in some installations.
  • A replacement feature is currently in consideration.
• #273
  • Remove obsolete methods:
    • SecurityServiceExtensions.AddCspManager()
    • SecurityServiceExtensions.UseCspManager()
  • Remove CspReportingViewComponent

Bugs

• #208
  • Correct an Issue with the Menu Provider that was causing some builds to activate the NONCE on admin screens
  • Correct the landing page for the Stott Security module to render the NONCE attribute on style and script tags.
• #265
  • Update the Internal Reporting endpoint to handle single reports or an array of reports.
  • This is in light of some browsers such as MacOs Safari sending Report-Uri style error reports to the Report-To endpoint.