Enforce HTTPS in ASP.Net Core
Microsoft recommends below 2 methods to use that enforces HTTPS
1. UseHttpsRedirection
RequireHTTPS Attribute not Recommended: can be used at controller level to enforce HTTPS, but its not recommended for Web APIs, because API clients may not understand redirection of HTTP to HTTPS, as a result they may not serve request and return with http status code 404 bad request, they may send information over http.
Add below method in Configure method of Startup.cs.
app.UseHttpsRedirection();
default HTTPS port is 447
If you want to change RedirectionStatusCode and/or HttpsPort than
Add below middleware into ConfigureServices method, else UseHttpsRedirection in Configure is sufficient.
2. UseHsts
When a browser(supports HSTS) receives this header it stores configuration for the domain than based on configuration browser ensures
Microsoft recommends below 2 methods to use that enforces HTTPS
- UseHttpsRedirection
- UseHsts
1. UseHttpsRedirection
RequireHTTPS Attribute not Recommended: can be used at controller level to enforce HTTPS, but its not recommended for Web APIs, because API clients may not understand redirection of HTTP to HTTPS, as a result they may not serve request and return with http status code 404 bad request, they may send information over http.
[RequireHttps]public class HomeController: Controller{}Add below method in Configure method of Startup.cs.
It uses default values of RedirectionStatusCode and HttpsPort
HttpsRedirectionOptions.RedirectStatusCode (Status307TemporaryRedirect).
HttpsRedirectionOptions.HttpsPort (null)
default HTTPS port is 447
If you want to change RedirectionStatusCode and/or HttpsPort than
Add below middleware into ConfigureServices method, else UseHttpsRedirection in Configure is sufficient.
services.AddHttpsRedirection(options => {
options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
options.HttpsPort = 5001;
});
Per OWASP, HTTP Strict Transport Security (HSTS) is an security enhancement using a response header.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload When a browser(supports HSTS) receives this header it stores configuration for the domain than based on configuration browser ensures
- Prevents communications using HTTP
- Forces to use HTTPS
- Prevents to use any invalid or untrusted certificates
- Disables prompts that allow a user to temporarily trust such invalid certificates
There are few limitations - The client should support HSTS
- Requires at least one successful HTTPS request to establish the HSTS policy
- Application must check every HTTP request and redirect/reject the HTTP request
HSTS should not be used with development environment as its highly cacheable.
- IncludeSubDomains: Says to include sub-domains as well for this configuration
- MaxAge: Browser cache the rule for the specified time duration. (For Production environment recommended is 1 year )
- ExcludeHosts: Excludes specific hosts from this rule
- Preload: It says browser to include your domain into its Preload list
Be careful in Production environments to set Preload = true and higher MaxAge(1 year). If you are sure that you would serve HTTPS support for your domain / sub-domain more than specified time than you should set it.
Removal of the rule from browsers might take months.
Because its become hard code rule for browsers until new updates of browsers not received.
If you stop support of HTTPS for your domain and change change configuration before previous time span, settings may take months to update client's browser and your domain might return with 402 Bad Request.
If you stop support of HTTPS for your domain and change change configuration before previous time span, settings may take months to update client's browser and your domain might return with 402 Bad Request.
No comments:
Post a Comment