What is HSTS

By FoxLearn 2/27/2025 7:46:18 AM   32
When you create a new ASP.NET Core application, it comes with a set of middleware to handle typical web application tasks like serving static assets, routing, HTTPS redirection, and exception handling.

One of the middleware components you’ll notice is app.UseHsts(), which is used in every ASP.NET Core app.

What is HSTS?

HSTS (HTTP Strict Transport Security) is a security feature that tells your application’s server to only communicate with clients using a secure connection (HTTPS). HTTP is unsecured, while HTTPS encrypts traffic for better privacy and security. Traditionally, web applications often allowed users to switch from HTTP to HTTPS when transitioning to secure areas of the site, like during checkout on e-commerce sites.

In modern ASP.NET Core applications, this transition generally happens on the first request, but there’s still some unsecured communication on that first request.

Here's a common middleware that redirects HTTP traffic to HTTPS:

app.UseHttpsRedirection();

When a user visits your site using http://, this middleware automatically redirects them to https://. While this is secure after the redirect, the initial request is still insecure, which could be problematic, especially with sensitive data.

HSTS Features

With HSTS, you can tell clients to:

  • Always use HTTPS for all future requests.
  • If includeSubdomains is set, enforce HTTPS on all subdomains as well.
  • If preload is set, ensure browsers use HTTPS even on the first request.
  • Set a max-age value, which determines how long the client should remember this policy (e.g., in seconds or years).

The preload option is especially useful because it allows browsers to only use HTTPS even on the first request by adding your site to a hardcoded list maintained by browser vendors.

However, before enabling HSTS with preload, there are some requirements:

  1. Serve a valid SSL/TLS certificate.
  2. Redirect all HTTP traffic to HTTPS on the same host.
  3. Serve all subdomains over HTTPS.
  4. Include an HSTS header with the proper settings: max-age=1 year; includeSubDomains; preload.
  5. Ensure that redirect responses also contain the HSTS header.

Once your site meets these conditions, you can verify it at hstspreload.org.

HSTS in ASP.NET Core

In ASP.NET Core, you’ll likely encounter this line in your application:

// The default HSTS value is 30 days.
app.UseHsts();

The default max-age is set to 30 days, which is long enough for testing but not too long if you make a mistake. In a production environment, you should consider changing this value.

Start with a short max-age (e.g., 5 minutes) for testing, then gradually increase it over time (e.g., 1 week, 1 month) to avoid issues.

When you’re ready to use HSTS with preload in production, configure the HstsOptions in your services:

builder.Services.Configure<HstsOptions>(o =>
{
    o.Preload = true;
    o.MaxAge = new TimeSpan(730 /* 2 years */);
    o.IncludeSubDomains = true;
});

This will set your HSTS policy to last for 2 years and include all subdomains. After you’ve tested thoroughly and are confident your site is fully HTTPS-compliant, you can submit it to the preload list maintained by browser vendors like Google, Mozilla, and Microsoft.

For multi-tenant sites where certain domains need to be excluded from the HSTS policy, you can configure exclusions:

builder.Services.Configure<HstsOptions>(o =>
{
    o.Preload = true;
    o.MaxAge = new TimeSpan(730 /* 2 years */);
    o.IncludeSubDomains = true;
    o.ExcludedHosts.Add("example.com");
    o.ExcludedHosts.Add("www.example.com");
});

However, be aware that excluding a subdomain from a parent domain that opts into HSTS will prevent your site from being included in the preload list.

Should I Enable HSTS?

HSTS adds an extra layer of security by protecting against man-in-the-middle attacks, preventing protocol downgrades and cookie hijacking. ASP.NET Core also offers other mechanisms to secure cookies, such as Data Protection encryption and browser security flags (Secure, HttpOnly, SameSite). As long as you follow these best practices, enabling HSTS will further enhance security.

That said, you should be cautious about enabling HSTS in a development environment where certificates might not be present. For production, however, you should have a valid SSL/TLS certificate.

Generally speaking, yes, you should enable HSTS, but be mindful of where and when you do so, as it can be tricky to get browsers to refresh the policy.

Related

Categories

Popular Posts

Entity Framework Code First vs Database First vs Model First Approach
Entity Framework Code First vs Database First vs Model First Approach
 12/19/2024
Portal HTML Bootstrap
Portal HTML Bootstrap
 11/14/2024
Elegent Material UI React Admin Dashboard Template
Elegent Material UI React Admin Dashboard Template
 11/19/2024
How to secure ASP.NET Core with NWebSec
How to secure ASP.NET Core with NWebSec
 11/07/2024
HTML Login Form
HTML Login Form
 11/11/2024

Copyright © 2016 - 2025 FoxLearn. All Rights Reserved

Home | Donate | About | Contact | Privacy Policy