Enforce HTTP Strict Transport Security (HSTS) in http endpoint

Just add the following to the web config (under the <system.webServer> element)

        <httpProtocol>
            <customHeaders>
                <add name="Strict-Transport-Security" value="max-age=31536000" />
            </customHeaders>
        </httpProtocol>

Select allOpen in new window

You can use https://www.ssllabs.com/ssltest/ to verify your HSTS config is correct.

The SSL Labs tester is very slow, so you might use this tool for debugging, which is much faster.

imac> time sudo /david-favor/code/testssl.sh.git/testssl.sh --headers davidfavor.com
Password:

###########################################################
    testssl.sh       3.0rc4 from https://testssl.sh/dev/
    (6bd4893 2019-02-21 09:21:19 -- )

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2i-dev)" [~183 ciphers]
 on Davids-iMac:$PWD/bin/openssl.Darwin.x86_64
 (built: "Sep  7 19:34:54 2016", platform: "darwin64-x86_64-cc")


 Start 2019-02-21 10:06:56        -->> 144.217.34.8:443 (davidfavor.com) <<--

 rDNS (144.217.34.8):    ip8.ip-144-217-34.net.
 Service detected:       HTTP


 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    730 days=63072000 s, just this domain, preload
 Public Key Pinning           --
 Server banner                Apache/2.4.33 (Ubuntu)
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             Upgrade h2,h2c
 Reverse Proxy banner         --


 Done 2019-02-21 10:07:02 [0009s] -->> 144.217.34.8:443 (davidfavor.com) <<--

real	0m10.789s
user	0m1.772s
sys	0m1.925s

Select allOpen in new window

Hi Zc2,
I am getting the error like "Server provided more than one HSTS header "

have added settings in 2 places in .net core api
startup.cs
=======
using NWebsec.AspNetCore.Middleware;
 public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IDisEntities context)
        {
               app.UseMiddleware<UserNameLoggingMiddleware>();

            // HSTS - Imlementation
            app.UseHsts(h => h.MaxAge(days: 365));
}

Kind regards,
Pooja

Thanks David Favor. I was using that tool. looking for something better than that. Anyways thanks!

Hi Zc2, Thanks for the advise earlier. I need your suggestion for other .net core app as well. I posted my changes above...great help..

It's up to you where to have that setting, in the app or in the web config. The later seems easier to me.
To verify that HSTS works, I usually just open up the browser's F12 tool, the Network tab and then I try to access an http:// resource. If the URL in the address bar changes itself to https:// and you see only https:// request was made in the Network tab (so the browser does not even try to connect to http://) then HSTS surely works.

Hi Zc2,
Please find the screen shot.
dis.api-prop.PNG

I'm sorry I am not familiar with C# web development.

@ZC2:
That project doesn't have web.config