Update What's New Link

Issue gh-9038

docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc

@@ -81,7 +81,7 @@ Here's what you'll see in this release:
 
 * Renamed https://github.com/spring-projects/spring-security/issues/8676[whitelist and blacklist to allowlist and blocklist]
 * Added https://github.com/spring-projects/spring-security/pull/7052[`RequestRejectedHandler`]
-* Strengthened https://github.com/spring-projects/spring-security/pull/8644[`StrictHttpFirewall`]
+* Strengthened https://github.com/spring-projects/spring-security/pull/8644[`StrictHttpFirewall`] to <<servlet-httpfirewall-headers-parameters,verify header and parameter names and values>>
 * Made https://github.com/spring-projects/spring-security/issues/5438[`SessionRegistry` aware of `SessionIdChangedEvent`]
 * Allow https://github.com/spring-projects/spring-security/issues/8402[`AesBytesEncryptor` to be constructed with a real key]
 * https://github.com/spring-projects/spring-security/pull/8450[Deprecated OpenID 2.0 support]

docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc

@@ -132,6 +132,8 @@ See https://jira.spring.io/browse/SPR-16851[SPR_16851] for an issue requesting t
 If you must allow any HTTP method (not recommended), you can use `StrictHttpFirewall.setUnsafeAllowAnyHttpMethod(true)`.
 This will disable validation of the HTTP method entirely.
 
+[[servlet-httpfirewall-headers-parameters]]
+
 `StrictHttpFirewall` also checks header names and values and parameter names.
 It requires that each character have a defined code point and not be a control character.