Released Enhancements
Security Enhancements: Strengthened Redirect Validation and HSTS Policy
We’ve implemented multiple updates to enhance site security, protect user sessions, and ensure consistent HTTPS enforcement across all Municipal Websites Evolve sites.
What’s Changed
Improved Redirect Validation: The sign-out process now includes stricter validation of redirect destinations. Any unrecognized or partial referrer automatically routes users to the home page, preventing potential misuse of redirect parameters and ensuring secure, predictable navigation.
Expanded HSTS Coverage: The HTTP Strict Transport Security (HSTS) policy for API and authentication routes now includes the includeSubDomains directive. This ensures all subdomains enforce HTTPS connections, preventing insecure (HTTP) requests and improving transport-layer security.
.NET Framework Security Update: Updated the version of .NET to address a vulnerability in ASP.NET Core 10.0, 9.0, 8.0, and 2.3. This update mitigates a security issue where inconsistent interpretation of HTTP requests (known as "HTTP request/response smuggling") could allow an authorized attacker to bypass security features over a network.
Impact
These enhancements strengthen user protection against potential redirection exploits and ensure encrypted connections across all application endpoints and subdomains.