Missing HSTS Header

Sharath C 1

The web-application does not define an HSTS header, leaving it vulnerable to attack.

Anonymous

2022-08-02T02:52:21.46+00:00
Hi @Sharath C ,

The web-application does not define an HSTS header, leaving it vulnerable to attack.

Can you tell us more detail information about your application, it is an Asp.net core API application or MVC application, and What's the application version? When you find the HSTS header missing, what's the request URL looks like?

From this articles: Enforce HTTPS in ASP.NET Core, we can know that:

The default API projects don't include HSTS because HSTS is generally a browser only instruction. Other callers, such as phone or desktop apps, do not obey the instruction. Even within browsers, a single authenticated call to an API over HTTP has risks on insecure networks. The secure approach is to configure API projects to only listen to and respond over HTTPS.

ASP.NET Core implements HSTS with the UseHsts extension method. And by default it calls UseHsts when the app isn't in development mode. You can check your code in the startup.cs or program.cs file.

The request URL should a Https request.

UseHsts excludes the following loopback hosts:
localhost : The IPv4 loopback address.
127.0.0.1 : The IPv4 loopback address.
[::1] : The IPv6 loopback address.

More detail information, check the Enforce HTTPS in ASP.NET Core.

Best regards,
Dillion

Your answer