HSTS support for windows based Azure app service

Question

we are using a windows based azure app service and currently we are looking for remediation our webapp concerning security.

I approached to resolve concerning security by

1. Redirect http to https through Azure web app setting.
2. Set HSTS options at our service startup as c# code snippet.

services.AddHsts(options =>

{

options.Preload = true;

options.IncludeSubDomains = true;

options.MaxAge = TimeSpan.FromDays(365);

});

Seems like solution is not enough, is there any other recommended solution require to implement? or is it the app service the wrong place implemented?

Answer 1

@Mukesh Kumar Can you share what your URL redirect rule looks like? It should look similar to this:

<rule name="RedirectToHTTPS" stopProcessing="true">
  <match url="(.*)" />
  <conditions>
    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
  </conditions>
  <action type="Redirect" url="https://{SERVER_NAME}/{R:1}" redirectType="Permanent" />
</rule>

Your HSTS settings should look like:

<configuration>  
 <system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Add Strict-Transport-Security only when using HTTPS" enabled="true">
        <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
        <conditions>
          <add input="{HTTPS}" pattern="on" ignoreCase="true" />
        </conditions>
        <action type="Rewrite" value="max-age=31536000; includeSubdomains; preload" />
      </rule>
    </outboundRules>
  </rewrite>
</system.webServer>
</configuration>

You can validate the HSTS behavior by navigating to edge://net-internals/#hsts Enter your domain name and check if you have the following attributes set.

Can you please check on the above to ensure they are properly configured? We look forward to your reply.

Answer 2

HSTS working with windows based Azure app service but not working with linux based azure app service.