Strict Transport Security in ASP.NET MVC: Implementing RequireHstsAttribute

Strict Transport Security in ASP.NET MVC: Implementing RequireHstsAttribute

http://ift.tt/2rvY7OA

HTTPS is the core mechanism for accessing web resources in a secure way. One of the limitations of HTTPS is the fact that the user can manually provide a URL which doesn’t contain the proper schema. In most cases, this will result in the application sending a redirect response which will tell the browser to re-request the resource using HTTPS. Unfortunately, this redirect creates a risk of a Man-in-the-Middle attack. Strict Transport Security is a security enhancement which allows web applications to inform browsers that they should always use HTTPS when accessing a given domain.

Strict Transport Security defines Strict-Transport-Security header with two directives: required max-age and optional includeSubDomains. From the moment the browser receives the Strict-Transport-Security header, it should consider the host as a Known HSTS Host for the number of seconds specified in the max-age directive. Being a Known HSTS Host means that the browser should always use HTTPS for communication. In the initially described scenario (user providing HTTP schema or no schema at all), the browser should cancel the initial request by itself and change the schema to HTTPS. Specifying the includeSubDomains directive means that a given rule applies also to all subdomains of the current domain.

java

via DZone.com Feed https://dzone.com

May 18, 2017 at 06:09PM

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s