This release contains fixes for security issues related to dashboard, so it is highly recommended to upgrade. Cross-Site Request Forgery protection was added by using existing libraries, but methods are different across application frameworks:

• For ASP.NET Core, no additional configuration is required, since Microsoft.AspNetCore.Antiforgery package is used to generate and validate tokens. Dependency injection is used to obtain the implementation and apply it when available.
• For other frameworks, additional configuration is required based on an abstract IOwinDashboardAntiforgery interface, because the available implementation is tightly coupled with the System.Web.Helpers assembly. Please check this gist to learn how to enable antiforgery token validation on ASP.NET and ASP.NET MVC platforms.

Other important updates include a new retry implementation for state changes in the Worker class to avoid any reads and writes whenever it is possible for a job’s distributed lock to be abandoned, because it may lead to consistency issues. Transitions directly to the Failed state without applying the job filters were also disabled, because such a behavior is not a determined one.

Also, looks like waiting on CancellationToken.WaitHandle rarely leads to high CPU usage. I was unable to reveal the exact reason for this, but any other implementation, including using Task.Delay or own tandem of CancellationToken.Register with ManualResetEvent works fine without such issues.

Hangfire.Core

• SECURITY – Add “robots” meta tag to ensure browser don’t index dashboard pages.

• SECURITY – Add support for antiforgery validation to prevent CSRF attacks (requires configuration).

• Fixed – Perform state change retries using a fresh connection when job’s distributed lock may be abandoned.
• Fixed – Disallow transitions to the Failed state on retries that bypass all the filters.
• Fixed – Remove possible rare CPU spikes due to the use of CancellationToken.WaitHandle.
• Fixed – Avoid resolving types and methods for logging in static constructors that may lead to process shutdown.
• Fixed – Prevent Recurring jobs dashboard from throwing NullReferenceException (by @mattkwiecien).
• Fixed – Replace wall clocks with monotonic ones when calculating local timeouts.
• Fixed – Change logger initialization to be deterministic and predictable by using instance fields.
• Fixed – Make _currentLogProvider field access to use volatile reads/writes.
• Fixed – Typo in NotSupportedException’s message (by @benrick).
• Fixed – Typo on the Failed jobs page (by @gareth-evans).

Hangfire.SqlServer

• Fixed – Remove the synthetic limitation to support Azure SQL Management instance (by @TimSQL).

Hangfire.AspNetCore

• SECURITY – Use ASP.NET Core’s built-in antiforgery validation to prevent CSRF attacks.