GaProgMan · GaProgMan · Dec 26, 2024 · Dec 26, 2024 · Dec 26, 2024 · Dec 26, 2024
diff --git a/changelog.md b/changelog.md
@@ -1,6 +1,6 @@
 # Changelog
 
-This changelog represents all of the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.
+This changelog represents all the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.
 
 ## TL;DR
 
@@ -22,6 +22,10 @@ This version dropped support for .NET 6 and .NET 7, as they are no longer suppor
 
 All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.
 
+#### Version 9.6.x
+
+This version saw the addition of a number of _very_ small changes to the middleware's `Invoke` method which aimed to increase efficiency, reduce working memory usage, and increase execution speed. 
+
 #### Version 9.5.x
 
 This version saw the addition of attestation generation on both a per PR-build and Release basis. See the [Attestations](https://gaprogman.github.io/OwaspHeaders.Core/attestations) page of the documentation to read about how you can verify the attestations per build or release.

diff --git a/docs/changelog.md b/docs/changelog.md
@@ -6,7 +6,7 @@ nav_order: 7
 
 # Changelog
 
-This changelog represents all of the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.
+This changelog represents all the major (i.e. breaking) changes made to the OwaspHeaders.Core project since it's inception. Early in the repo's development, GitHub's "releases" where used to release builds of the code repo. However shortly after it's inception, builds and releases where moved to [AppVeyor](https://ci.appveyor.com/project/GaProgMan/owaspheaders-core). Because of this, the releases on the GitHub repo became stale.
 
 ## TL;DR
 
@@ -28,6 +28,9 @@ This version dropped support for .NET 6 and .NET 7, as they are no longer suppor
 
 All projects in the [GitHub repo](https://github.com/GaProgMan/OwaspHeaders.Core) now build and run with either .NET 8 or .NET 9, whichever is present (deferring to the highest version number if both are present). As of November 19th, 2024 there are no new features in Version 9, so if you still need to use the NuGet package with .NET 6 or 7 please use Version 8 of the package.
 
+#### Version 9.6.x
+
+This version saw the addition of a number of _very_ small changes to the middleware's `Invoke` method which aimed to increase efficiency, reduce working memory usage, and increase execution speed.
 #### Version 9.5.x
 
 This version saw the addition of attestation generation on both a per PR-build and Release basis. See the [Attestations](https://gaprogman.github.io/OwaspHeaders.Core/attestations) page of the documentation to read about how you can verify the attestations per build or release.

diff --git a/src/OwaspHeaders.Core.csproj b/src/OwaspHeaders.Core.csproj
@@ -8,7 +8,7 @@
 
     <!-- NuGet metadata -->
     <PackageId>OwaspHeaders.Core</PackageId>
-    <Version>9.6.0</Version>
+    <Version>9.6.1</Version>
     <Authors>Jamie Taylor</Authors>
     <Company>RJJ Software Ltd</Company>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>

diff --git a/src/SecureHeadersMiddleware.cs b/src/SecureHeadersMiddleware.cs
@@ -7,143 +7,143 @@ namespace OwaspHeaders.Core;
 /// A middleware for injecting OWASP recommended headers into a
 /// HTTP Request
 /// </summary>
-public class SecureHeadersMiddleware()
+public class SecureHeadersMiddleware
 {
-private string _calculatedContentSecurityPolicy;
-private readonly Dictionary<string, string> _headers;
-private readonly RequestDelegate _next;
-private readonly SecureHeadersMiddlewareConfiguration _config;
+    private string _calculatedContentSecurityPolicy;
+    private readonly Dictionary<string, string> _headers;
+    private readonly RequestDelegate _next;
+    private readonly SecureHeadersMiddlewareConfiguration _config;
 
-public SecureHeadersMiddleware(RequestDelegate next, SecureHeadersMiddlewareConfiguration config) : this()
-{
-    _config = config;
-    _next = next;
-    _headers = new Dictionary<string, string>();
-}
-
-/// <summary>
-/// The main task of the middleware. This will be invoked whenever
-/// the middleware fires
-/// </summary>
-/// <param name="httpContext">The <see cref="HttpContext" /> for the current request or response</param>
-/// <returns></returns>
-public async Task InvokeAsync(HttpContext httpContext)
-{
-    if (_config == null)
+    public SecureHeadersMiddleware(RequestDelegate next, SecureHeadersMiddlewareConfiguration config)
     {
-        throw new ArgumentException(
-            $"Expected an instance of the {nameof(SecureHeadersMiddlewareConfiguration)} object.");
+        _config = config;
+        _next = next;
+        _headers = new Dictionary<string, string>();
     }
 
-    if (!RequestShouldBeIgnored(httpContext.Request.Path))
+    /// <summary>
+    /// The main task of the middleware. This will be invoked whenever
+    /// the middleware fires
+    /// </summary>
+    /// <param name="httpContext">The <see cref="HttpContext" /> for the current request or response</param>
+    /// <returns></returns>
+    public async Task InvokeAsync(HttpContext httpContext)
     {
-        if (_headers.Count == 0)
+        if (_config == null)
         {
-            GenerateRelevantHeaders();
+            throw new ArgumentException(
+                $"Expected an instance of the {nameof(SecureHeadersMiddlewareConfiguration)} object.");
         }
 
-        foreach (var (key, value) in _headers)
+        if (!RequestShouldBeIgnored(httpContext.Request.Path))
         {
-            httpContext.TryAddHeader(key, value);
+            if (_headers.Count == 0)
+            {
+                GenerateRelevantHeaders();
+            }
+
+            foreach (var (key, value) in _headers)
+            {
+                httpContext.TryAddHeader(key, value);
+            }
         }
-    }
 
-    // Call the next middleware in the chain
-    await _next(httpContext);
-}
-
-private void GenerateRelevantHeaders()
-{
-    if (_config.UseHsts)
-    {
-        _headers.TryAdd(Constants.StrictTransportSecurityHeaderName,
-            _config.HstsConfiguration.BuildHeaderValue());
+        // Call the next middleware in the chain
+        await _next(httpContext);
     }
 
-    if (_config.UseXFrameOptions)
+    private void GenerateRelevantHeaders()
     {
-        _headers.TryAdd(Constants.XFrameOptionsHeaderName,
-            _config.XFrameOptionsConfiguration.BuildHeaderValue());
-    }
+        if (_config.UseHsts)
+        {
+            _headers.TryAdd(Constants.StrictTransportSecurityHeaderName,
+                _config.HstsConfiguration.BuildHeaderValue());
+        }
 
-    if (_config.UseXssProtection)
-    {
-        _headers.TryAdd(Constants.XssProtectionHeaderName,
-            _config.XssConfiguration.BuildHeaderValue());
-    }
+        if (_config.UseXFrameOptions)
+        {
+            _headers.TryAdd(Constants.XFrameOptionsHeaderName,
+                _config.XFrameOptionsConfiguration.BuildHeaderValue());
+        }
 
-    if (_config.UseXContentTypeOptions)
-    {
-        _headers.TryAdd(Constants.XContentTypeOptionsHeaderName, Constants.XContentTypeOptionsValue);
-    }
+        if (_config.UseXssProtection)
+        {
+            _headers.TryAdd(Constants.XssProtectionHeaderName,
+                _config.XssConfiguration.BuildHeaderValue());
+        }
 
-    if (_config.UseContentSecurityPolicyReportOnly)
-    {
-        if (string.IsNullOrWhiteSpace(_calculatedContentSecurityPolicy))
+        if (_config.UseXContentTypeOptions)
         {
-            _calculatedContentSecurityPolicy =
-                _config.ContentSecurityPolicyReportOnlyConfiguration.BuildHeaderValue();
+            _headers.TryAdd(Constants.XContentTypeOptionsHeaderName, Constants.XContentTypeOptionsValue);
         }
 
-        _headers.TryAdd(Constants.ContentSecurityPolicyReportOnlyHeaderName,
-            _calculatedContentSecurityPolicy);
-    }
-    else if (_config.UseContentSecurityPolicy)
-    {
-        if (string.IsNullOrWhiteSpace(_calculatedContentSecurityPolicy))
+        if (_config.UseContentSecurityPolicyReportOnly)
         {
-            _calculatedContentSecurityPolicy = _config.ContentSecurityPolicyConfiguration.BuildHeaderValue();
+            if (string.IsNullOrWhiteSpace(_calculatedContentSecurityPolicy))
+            {
+                _calculatedContentSecurityPolicy =
+                    _config.ContentSecurityPolicyReportOnlyConfiguration.BuildHeaderValue();
+            }
+
+            _headers.TryAdd(Constants.ContentSecurityPolicyReportOnlyHeaderName,
+                _calculatedContentSecurityPolicy);
         }
+        else if (_config.UseContentSecurityPolicy)
+        {
+            if (string.IsNullOrWhiteSpace(_calculatedContentSecurityPolicy))
+            {
+                _calculatedContentSecurityPolicy = _config.ContentSecurityPolicyConfiguration.BuildHeaderValue();
+            }
 
-        _headers.TryAdd(Constants.ContentSecurityPolicyHeaderName,
-            _calculatedContentSecurityPolicy);
-    }
+            _headers.TryAdd(Constants.ContentSecurityPolicyHeaderName,
+                _calculatedContentSecurityPolicy);
+        }
 
-    if (_config.UseXContentSecurityPolicy)
-    {
-        _headers.TryAdd(Constants.XContentSecurityPolicyHeaderName,
-            _config.ContentSecurityPolicyConfiguration.BuildHeaderValue());
-    }
+        if (_config.UseXContentSecurityPolicy)
+        {
+            _headers.TryAdd(Constants.XContentSecurityPolicyHeaderName,
+                _config.ContentSecurityPolicyConfiguration.BuildHeaderValue());
+        }
 
-    if (_config.UsePermittedCrossDomainPolicy)
-    {
-        _headers.TryAdd(Constants.PermittedCrossDomainPoliciesHeaderName,
-            _config.PermittedCrossDomainPolicyConfiguration.BuildHeaderValue());
-    }
+        if (_config.UsePermittedCrossDomainPolicy)
+        {
+            _headers.TryAdd(Constants.PermittedCrossDomainPoliciesHeaderName,
+                _config.PermittedCrossDomainPolicyConfiguration.BuildHeaderValue());
+        }
 
-    if (_config.UseReferrerPolicy)
-    {
-        _headers.TryAdd(Constants.ReferrerPolicyHeaderName,
-            _config.ReferrerPolicy.BuildHeaderValue());
-    }
+        if (_config.UseReferrerPolicy)
+        {
+            _headers.TryAdd(Constants.ReferrerPolicyHeaderName,
+                _config.ReferrerPolicy.BuildHeaderValue());
+        }
 
-    if (_config.UseExpectCt)
-    {
-        _headers.TryAdd(Constants.ExpectCtHeaderName,
-            _config.ExpectCt.BuildHeaderValue());
-    }
+        if (_config.UseExpectCt)
+        {
+            _headers.TryAdd(Constants.ExpectCtHeaderName,
+                _config.ExpectCt.BuildHeaderValue());
+        }
 
-    if (_config.UseCacheControl)
-    {
-        _headers.TryAdd(Constants.CacheControlHeaderName,
-            _config.CacheControl.BuildHeaderValue());
-    }
+        if (_config.UseCacheControl)
+        {
+            _headers.TryAdd(Constants.CacheControlHeaderName,
+                _config.CacheControl.BuildHeaderValue());
+        }
 
-    if (_config.UseCrossOriginResourcePolicy)
-    {
-        _headers.TryAdd(Constants.CrossOriginResourcePolicyHeaderName,
-            _config.CrossOriginResourcePolicy.BuildHeaderValue());
+        if (_config.UseCrossOriginResourcePolicy)
+        {
+            _headers.TryAdd(Constants.CrossOriginResourcePolicyHeaderName,
+                _config.CrossOriginResourcePolicy.BuildHeaderValue());
+        }
     }
-}
 
-private bool RequestShouldBeIgnored(PathString requestedPath)
-{
-    if (_config.UrlsToIgnore.Count == 0)
+    private bool RequestShouldBeIgnored(PathString requestedPath)
     {
-        return false;
-    }
+        if (_config.UrlsToIgnore.Count == 0)
+        {
+            return false;
+        }
 
-    return requestedPath.HasValue &&
-           _config.UrlsToIgnore.Any(url => url.Equals(requestedPath.Value!, StringComparison.InvariantCulture));
-}
+        return requestedPath.HasValue &&
+               _config.UrlsToIgnore.Any(url => url.Equals(requestedPath.Value!, StringComparison.InvariantCulture));
+    }
 }