New security feature blocks all requests to \.well-known\ URIs (returning 404), except for certificate validation (acme-challenge, when enabled) and any other URI explicitly allowed through ServerController.AllowedWellKnownURISuffixes property.
New internal variable NONCE for templates (was previously announced in IW 16.1.2, but only included in 16.1.3). It will replace any %NONCE% tag with WebApplication.Nonce value at runtime in templates. This is required for scripts and style tags in templates when using CSP
Bug fix
Setting TIWTemplateProcessorHTML.Variables or StyleAttributesToRemove property at design time could raise an access violation depending on the IDE plug-in being used/registered as a TStrings editor.
Digest authentication would fail using ISAPI application and IIS configured with Anonymous Authentication method