Insecure or unset HTTP headers - Strict Transport Security
Need
Implementation of Strict Transport Security (HSTS) header
Context
- Usage of C# 8.0 for modern and efficient software development
- Usage of Microsoft.AspNetCore for building web applications with .NET Core
- Usage of Microsoft.AspNetCore.Hosting for hosting ASP.NET Core applications
- Usage of Microsoft.AspNetCore.Builder for configuring and building ASP.NET Core applications
- Usage of Microsoft.AspNetCore.Routing for handling URL routing in ASP.NET Core applications
- Usage of Microsoft.AspNetCore.Authorization for implementing authorization and access control in ASP.NET Core applications
- Usage of Microsoft.Extensions.Hosting for hosting and managing .NET Core applications
Description
Non compliant code
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
This code is configuring the middleware components of an ASP.NET Core web application. Middleware are software components that are assembled into an application pipeline to handle requests and responses.
The code is missing an important security feature: the Strict-Transport-Security HTTP header. This header is a security feature that helps protect websites against protocol downgrade attacks and cookie hijacking.
The absence of the Strict-Transport-Security HTTP header means that the application is not enforcing the use of HTTPS. As a result, it is possible for an attacker to intercept or alter the communication between the user and the server.
Moreover, even if the header was present, if the max-age attribute of the header is set to a short duration, the protection it provides would be minimal. The max-age attribute specifies the amount of time, in seconds, that the browser should remember that the site is only to be accessed using HTTPS.
Steps
- Add the Strict-Transport-Security HTTP header to the server's response.
- Set the max-age directive of the Strict-Transport-Security header to an appropriate value.
- Ensure that the Strict-Transport-Security header is only added when the application is not running in a development environment.
Compliant code
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
// Add the Strict-Transport-Security HTTP header to the server's response.
app.UseHsts(options => options.MaxAge(days: 365).IncludeSubdomains());
}
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
});
}
The above code fixes the vulnerability by adding the Strict-Transport-Security (HSTS) HTTP header to the server's response. This is done using the UseHsts method, which is a middleware that adds the Strict-Transport-Security header.
The UseHsts method is only called when the application is not running in a development environment. This is because HSTS is a security feature that tells a browser to only communicate with the server using a secure HTTPS connection. If a server declares an HSTS policy, the browser will refuse to connect to that server over an insecure HTTP connection. This can cause issues during development, when you might want to use an insecure connection for testing purposes.
The MaxAge method sets the max-age directive of the Strict-Transport-Security header. This directive tells the browser how long to remember the HSTS policy. In this case, the max-age is set to 365 days, which is a common value. However, you can adjust this value to suit your needs.
The IncludeSubdomains method is used to apply the HSTS policy to all subdomains of the server's domain. This is a good practice to help prevent man-in-the-middle attacks on your subdomains.
By adding the HSTS header and setting an appropriate max-age, the server instructs the browser to only access the server over secure connections, which helps to protect against various types of attacks, such as cookie hijacking and protocol downgrade attacks.