According to OWASP, HTTP Strict Transport Security (HSTS) protects users from a number of threats, in particular man-in-the-middle attacks by not only forcing encrypted sessions, but also stopping attackers who use invalid digital certificates.
HTTP Strict Transport Security (HSTS) is an opt-in security enhancement that is specified by a web application through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS. It also prevents HTTPS click through prompts on browsers.
The specification has been released and published end of 2012 as RFC 6797 (HTTP Strict Transport Security (HSTS)) by the IETF
This package aims to provide developers the middleware required to effectively support this specification in a standardised way.
To install the package, search NuGet for Owin.Hsts
or run the following command from the package console:
Install-Package Owin.HSTS
Then open Startup.cs
and add the following:
using Owin.Hsts; // Add this at the top
app.UseHttpStrictTransportSecurity();
Which will result in a similar configuration to the following:
using Microsoft.Owin;
using Owin;
using Owin.Hsts;
[assembly: OwinStartupAttribute(typeof(MyWebApp.Startup))]
namespace MyWebApp
{
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseHttpStrictTransportSecurity();
ConfigureAuth(app);
}
}
}
The following options are set by default:
- All sub-domains are included (HSTS specification dictates an all or none approach)
- The policy expires after 28 days
- The middleware will not overwrite any header that is already set by the application
In order to override any of the above settings use the additional overload as demonstrated below:
using System;
using Microsoft.Owin;
using Owin;
using Owin.Hsts;
[assembly: OwinStartupAttribute(typeof(MyWebApp.Startup))]
namespace MyWebApp
{
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseHttpStrictTransportSecurity(new HstsSettings
{
Duration = TimeSpan.FromDays(365d),
IncludeSubDomains = false,
OverwriteExisting = true
});
ConfigureAuth(app);
}
}
}
For browser compatibility with HSTS, check caniuse.com