OwaspHeaders.Core 9.9 Adds Clear-Site-Data Header Support for Enhanced Security Control

The image displays a black and white line drawing featuring a stylized emblem. At the center of the emblem is a shield with a stylized wasp in profile, symbolizing protection. Above the wasp, there is a single horizontal black bar inside of which are five white circles. The style of the illustration is simple and flat, with no gradients or shading, giving it a modern, iconic appearance.

RJJ Software is pleased to announce the release of OwaspHeaders.Core version 9.9, introducing support for the Clear-Site-Data HTTP header. This powerful addition gives developers fine-grained control over client-side data clearing, particularly valuable for logout scenarios and security-critical operations.

What’s New in 9.9

The headline feature of this release is support for the Clear-Site-Data header, which allows web applications to instruct browsers to clear specific types of client-side data. This addresses a common security concern: ensuring that sensitive data is properly removed from the client when users log out or perform other security-sensitive actions.

Key Features

Path-Specific Configuration

  • Configure Clear-Site-Data for specific endpoints like logout routes
  • Selective control over which data types to clear (cache, cookies, storage)
  • Wildcard support for clearing all client data in high-security scenarios
  • Exact path matching with flexible precedence rules

Developer-Friendly Implementation

  • Intentionally not included in default configuration due to its potentially disruptive nature
  • Simple opt-in configuration through the familiar builder pattern
  • Support for both individual path configuration and bulk path setup
  • Full integration with existing OwaspHeaders.Core security header configurations

Production-Ready Design

  • Minimal performance overhead (less than 1ms per request)
  • Automatic deduplication of directives
  • Only stable, well-supported directive values (no experimental features)
  • Comprehensive documentation with real-world examples

Why Clear-Site-Data Matters

The Clear-Site-Data header addresses several critical security scenarios that traditional session management alone cannot fully resolve:

  • Enhanced Logout Security: Ensures all client-side data is cleared when users log out, preventing potential session hijacking through cached data
  • Privilege Changes: Clears sensitive cached data after authentication state changes
  • Security Incident Response: Forces data clearing during security incidents
  • Administrative Actions: Clears cache after configuration changes

Prior to this release, developers had limited control over client-side data persistence after logout, potentially leaving sensitive information in browser caches or storage.

Getting Started with Clear-Site-Data

Configuring Clear-Site-Data in OwaspHeaders.Core 9.9 follows the same simple builder pattern you’re familiar with:

var config = SecureHeadersMiddlewareBuilder
    .CreateBuilder()
    .UseHsts()
    .UseXFrameOptions()
    .UseContentTypeOptions()
    .AddClearSiteDataPath("/logout", ClearSiteDataOptions.wildcard)
    .AddClearSiteDataPath("/api/auth/signout", ClearSiteDataOptions.cache, ClearSiteDataOptions.cookies)
    .Build();

app.UseSecureHeadersMiddleware(config);

For logout endpoints, using the wildcard option provides maximum security by clearing all client-side data:

.AddClearSiteDataPath("/logout", ClearSiteDataOptions.wildcard)

This results in the header Clear-Site-Data: "*" being sent, instructing the browser to clear all cache, cookies, and storage for your origin.

Real-World Benefits

  • Improved Security Posture: Developers can now ensure complete data clearing on logout, addressing compliance requirements and security best practices
  • Flexible Control: Choose between clearing all data or selectively clearing specific data types based on your security needs
  • Better User Privacy: Give users confidence that their data is properly cleared when they log out

Maintaining Backward Compatibility

As with all OwaspHeaders.Core releases, version 9.9 maintains full backward compatibility. Applications upgrading from previous versions will continue to function exactly as before. The Clear-Site-Data header is only added when explicitly configured, ensuring no unexpected behavior.

Looking Forward

This release demonstrates our ongoing commitment to keeping OwaspHeaders.Core aligned with modern web security standards. As browsers continue to evolve their security models, we’ll continue to add support for new security headers and best practices.

The project continues to grow, with over 1.4 million downloads on NuGet and an active community of contributors. We’re grateful for the continued support and feedback that drives these improvements.

Get the Update

OwaspHeaders.Core 9.9 is available now on NuGet. To add or upgrade the package in your project:

dotnet add package OwaspHeaders.Core --version 9.9.0

For complete documentation on the Clear-Site-Data header, including advanced configuration options and best practices, visit the official documentation.

About OwaspHeaders.Core

OwaspHeaders.Core is an open-source ASP.NET Core middleware that automatically adds OWASP-recommended security headers to HTTP responses. With over 1.4 million downloads, it has become an essential tool for developers building secure web applications. The project is maintained by Jamie Taylor, Microsoft MVP and Strategic Technology Consultant here at RJJ Software.

For more information about OwaspHeaders.Core:

OwaspHeaders.Core is part of RJJ Software’s commitment to open-source security tools that make the web safer for everyone. For enterprise support or custom security solutions, contact our team.