suresh pondicherry
asked on
Enforce HTTP Strict Transport Security (HSTS) in http endpoint
Hi,
Am using .net framework 4.6.1 and the class library project using C#. Need to enforce HTTP Strict Transport Security (HSTS) in all public facing http endpoints.I did configuration settings but it doesn't help me. Please help me about how to enforce HSTS on project and how to verify the site has hsts settings.
Have attached Properties window of the project, web.config, startup.cs .Please help...
Kind regards,
Pooja
Properties.PNG
Startup.cs
Web.config
Am using .net framework 4.6.1 and the class library project using C#. Need to enforce HTTP Strict Transport Security (HSTS) in all public facing http endpoints.I did configuration settings but it doesn't help me. Please help me about how to enforce HSTS on project and how to verify the site has hsts settings.
Have attached Properties window of the project, web.config, startup.cs .Please help...
Kind regards,
Pooja
Properties.PNG
Startup.cs
Web.config
You can use https://www.ssllabs.com/ss ltest/ to verify your HSTS config is correct.
The SSL Labs tester is very slow, so you might use this tool for debugging, which is much faster.
The SSL Labs tester is very slow, so you might use this tool for debugging, which is much faster.
imac> time sudo /david-favor/code/testssl.sh.git/testssl.sh --headers davidfavor.com
Password:
###########################################################
testssl.sh 3.0rc4 from https://testssl.sh/dev/
(6bd4893 2019-02-21 09:21:19 -- )
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
on Davids-iMac:$PWD/bin/openssl.Darwin.x86_64
(built: "Sep 7 19:34:54 2016", platform: "darwin64-x86_64-cc")
Start 2019-02-21 10:06:56 -->> 144.217.34.8:443 (davidfavor.com) <<--
rDNS (144.217.34.8): ip8.ip-144-217-34.net.
Service detected: HTTP
Testing HTTP header response @ "/"
HTTP Status Code 200 OK
HTTP clock skew 0 sec from localtime
Strict Transport Security 730 days=63072000 s, just this domain, preload
Public Key Pinning --
Server banner Apache/2.4.33 (Ubuntu)
Application banner --
Cookie(s) (none issued at "/")
Security headers Upgrade h2,h2c
Reverse Proxy banner --
Done 2019-02-21 10:07:02 [0009s] -->> 144.217.34.8:443 (davidfavor.com) <<--
real 0m10.789s
user 0m1.772s
sys 0m1.925s
ASKER
Hi Zc2,
I am getting the error like "Server provided more than one HSTS header "
have added settings in 2 places in .net core api
startup.cs
=======
using NWebsec.AspNetCore.Middlew are;
public void Configure(IApplicationBuil der app, IHostingEnvironment env, ILoggerFactory loggerFactory, IDisEntities context)
{
app.UseMiddleware<UserName LoggingMid dleware>() ;
// HSTS - Imlementation
app.UseHsts(h => h.MaxAge(days: 365));
}
Kind regards,
Pooja
I am getting the error like "Server provided more than one HSTS header "
have added settings in 2 places in .net core api
startup.cs
=======
using NWebsec.AspNetCore.Middlew
public void Configure(IApplicationBuil
{
app.UseMiddleware<UserName
// HSTS - Imlementation
app.UseHsts(h => h.MaxAge(days: 365));
}
Kind regards,
Pooja
ASKER
Thanks David Favor. I was using that tool. looking for something better than that. Anyways thanks!
ASKER
Hi Zc2, Thanks for the advise earlier. I need your suggestion for other .net core app as well. I posted my changes above...great help..
It's up to you where to have that setting, in the app or in the web config. The later seems easier to me.
To verify that HSTS works, I usually just open up the browser's F12 tool, the Network tab and then I try to access an http:// resource. If the URL in the address bar changes itself to https:// and you see only https:// request was made in the Network tab (so the browser does not even try to connect to http://) then HSTS surely works.
To verify that HSTS works, I usually just open up the browser's F12 tool, the Network tab and then I try to access an http:// resource. If the URL in the address bar changes itself to https:// and you see only https:// request was made in the Network tab (so the browser does not even try to connect to http://) then HSTS surely works.
ASKER
I'm sorry I am not familiar with C# web development.
ASKER
@ZC2:
That project doesn't have web.config
That project doesn't have web.config
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window