diff --git a/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc b/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc index 57f741c17dd..2bbaef0a41e 100644 --- a/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc @@ -81,7 +81,7 @@ Here's what you'll see in this release: * Renamed https://github.com/spring-projects/spring-security/issues/8676[whitelist and blacklist to allowlist and blocklist] * Added https://github.com/spring-projects/spring-security/pull/7052[`RequestRejectedHandler`] -* Strengthened https://github.com/spring-projects/spring-security/pull/8644[`StrictHttpFirewall`] +* Strengthened https://github.com/spring-projects/spring-security/pull/8644[`StrictHttpFirewall`] to <> * Made https://github.com/spring-projects/spring-security/issues/5438[`SessionRegistry` aware of `SessionIdChangedEvent`] * Allow https://github.com/spring-projects/spring-security/issues/8402[`AesBytesEncryptor` to be constructed with a real key] * https://github.com/spring-projects/spring-security/pull/8450[Deprecated OpenID 2.0 support] diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc index a5781e692d3..71171992b34 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/firewall.adoc @@ -132,6 +132,8 @@ See https://jira.spring.io/browse/SPR-16851[SPR_16851] for an issue requesting t If you must allow any HTTP method (not recommended), you can use `StrictHttpFirewall.setUnsafeAllowAnyHttpMethod(true)`. This will disable validation of the HTTP method entirely. +[[servlet-httpfirewall-headers-parameters]] + `StrictHttpFirewall` also checks header names and values and parameter names. It requires that each character have a defined code point and not be a control character.