question

SharathC-1054 avatar image
0 Votes"
SharathC-1054 asked ZhiLv-MSFT commented

Missing HSTS Header

The web-application does not define an HSTS header, leaving it vulnerable to attack.

dotnet-aspnet-core-generaldotnet-aspnet-core-webapi
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @SharathC-1054,

The web-application does not define an HSTS header, leaving it vulnerable to attack.

Can you tell us more detail information about your application, it is an Asp.net core API application or MVC application, and What's the application version? When you find the HSTS header missing, what's the request URL looks like?

From this articles: Enforce HTTPS in ASP.NET Core, we can know that:

  1. The default API projects don't include HSTS because HSTS is generally a browser only instruction. Other callers, such as phone or desktop apps, do not obey the instruction. Even within browsers, a single authenticated call to an API over HTTP has risks on insecure networks. The secure approach is to configure API projects to only listen to and respond over HTTPS.

  2. ASP.NET Core implements HSTS with the UseHsts extension method. And by default it calls UseHsts when the app isn't in development mode. You can check your code in the startup.cs or program.cs file.

  3. The request URL should a Https request.

  4. UseHsts excludes the following loopback hosts:
    localhost : The IPv4 loopback address.
    127.0.0.1 : The IPv4 loopback address.
    [::1] : The IPv6 loopback address.

More detail information, check the Enforce HTTPS in ASP.NET Core.

Best regards,
Dillion

0 Votes 0 ·

0 Answers