updates OWASP headers

Author: JaredCE

README.md

@@ -980,6 +980,7 @@ The full list of OWASP Secure Headers you can set are:
 - xContentTypeOptions - X-Content-Type-Options,
 - xFrameOptions - X-Frame-Options,
 - xPermittedCrossDomainPolicies - X-Permitted-Cross-Domain-Policies
+- xDNSPrefetchControl - X-DNS-Prefetch-Control
 
 You should note that `Pragma` has been [deprecated by owasp](https://owasp.org/www-project-secure-headers/#pragma), this plugin will issue a warning when you are still using Pragma and might drop support.
 

json/owasp.json

@@ -1,5 +1,5 @@
 {
-  "last_update_utc": "2024-09-19 21:29:28",
+  "last_update_utc": "2025-08-17 15:23:47",
   "headers": [
     {
       "name": "Cache-Control",
@@ -11,7 +11,7 @@
     },
     {
       "name": "Content-Security-Policy",
-      "value": "default-src 'self'; form-action 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
+      "value": "default-src 'self'; form-action 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'none'; upgrade-insecure-requests"
     },
     {
       "name": "Cross-Origin-Embedder-Policy",
@@ -41,6 +41,10 @@
       "name": "X-Content-Type-Options",
       "value": "nosniff"
     },
+    {
+      "name": "X-DNS-Prefetch-Control",
+      "value": "off"
+    },
     {
       "name": "X-Frame-Options",
       "value": "deny"

src/owasp.js

@@ -67,6 +67,10 @@ class OWASP {
         description:
           "A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. When clients request content hosted on a particular source domain and that content makes requests directed towards a domain other than its own, the remote domain needs to host a cross-domain policy file that grants access to the source domain, allowing the client to continue the transaction. Normally a meta-policy is declared in the master policy file, but for those who can't write to the root directory, they can also declare a meta-policy using the X-Permitted-Cross-Domain-Policies HTTP response header. - [OWASP Link](https://owasp.org/www-project-secure-headers/#x-permitted-cross-domain-policies)",
       },
+      "X-DNS-Prefetch-Control": {
+        description:
+          "The HTTP X-DNS-Prefetch-Control response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth. - [MDN Link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-DNS-Prefetch-Control)",
+      },
     };
 
     this.headerMap = {
@@ -83,6 +87,7 @@ class OWASP {
       xContentTypeOptions: "X-Content-Type-Options",
       xFrameOptions: "X-Frame-Options",
       xPermittedCrossDomainPolicies: "X-Permitted-Cross-Domain-Policies",
+      xDNSPrefetchControl: "X-DNS-Prefetch-Control",
     };
   }