Strict Transport Security in ASP.NET MVC: Implementing RequireHstsAttribute
HTTPS is the core mechanism for accessing web resources in a secure way. One of the limitations of HTTPS is the fact that the user can manually provide a URL which doesn’t contain the proper schema. In most cases, this will result in the application sending a redirect response which will tell the browser to re-request the resource using HTTPS. Unfortunately, this redirect creates a risk of a Man-in-the-Middle attack. Strict Transport Security is a security enhancement which allows web applications to inform browsers that they should always use HTTPS when accessing a given domain.
Strict Transport Security defines Strict-Transport-Security header with two directives: required max-age and optional includeSubDomains. From the moment the browser receives the Strict-Transport-Security header, it should consider the host as a Known HSTS Host for the number of seconds specified in the max-age directive. Being a Known HSTS Host means that the browser should always use HTTPS for communication. In the initially described scenario (user providing HTTP schema or no schema at all), the browser should cancel the initial request by itself and change the schema to HTTPS. Specifying the includeSubDomains directive means that a given rule applies also to all subdomains of the current domain.
via DZone.com Feed https://dzone.com
May 18, 2017 at 06:09PM