ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,606 questions
Missing HSTS Header
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 14.000000000000002%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Sharath C
1
Reputation point
The web-application does not define an HSTS header, leaving it vulnerable to attack.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 90%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZL%3C/text%3E%3C/svg%3E)
Zhi Lv - MSFT 32,441 Reputation points Microsoft Vendor2022-08-02T02:52:21.46+00:00 Hi @Sharath C ,
The web-application does not define an HSTS header, leaving it vulnerable to attack.
Can you tell us more detail information about your application, it is an Asp.net core API application or MVC application, and What's the application version? When you find the HSTS header missing, what's the request URL looks like?
From this articles: Enforce HTTPS in ASP.NET Core, we can know that:
- The default API projects don't include HSTS because HSTS is generally a browser only instruction. Other callers, such as phone or desktop apps, do not obey the instruction. Even within browsers, a single authenticated call to an API over HTTP has risks on insecure networks. The secure approach is to configure API projects to only listen to and respond over HTTPS.
- ASP.NET Core implements HSTS with the
UseHstsextension method. And by default it callsUseHstswhen the app isn't in development mode. You can check your code in the startup.cs or program.cs file. - The request URL should a Https request.
- UseHsts excludes the following loopback hosts:
localhost : The IPv4 loopback address.
127.0.0.1 : The IPv4 loopback address.
[::1] : The IPv6 loopback address.
More detail information, check the Enforce HTTPS in ASP.NET Core.
Best regards,
Dillion
Sign in to comment
Sign in to answer