Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New doc: Require HTTPS on Web APIs #6233

Open
CosCallis opened this Issue May 6, 2018 — with docs.microsoft.com · 13 comments

Comments

Projects
None yet
7 participants
Copy link

CosCallis commented May 6, 2018 — with docs.microsoft.com

Opening segment comes down to : Don't ever do this for anything that actually matters.

Do not use RequireHttpsAttribute on Web APIs that receive sensitive information

And (of course) does not give you a link on where to go find how to do this for things that actually matter.
... but if you are just using https for the hell of it... the article is fine.
(well..once you figure out the 'usings' which are not include in the documentation.)


Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

@Rick-Anderson Rick-Anderson changed the title Once again worthless Do not use RequireHttpsAttribute on Web APIs that receive sensitive information May 6, 2018

@Rick-Anderson Rick-Anderson added this to the 2018 Q3 September 30 milestone May 6, 2018

@Rick-Anderson

This comment has been minimized.

Copy link
Contributor

Rick-Anderson commented May 6, 2018

@blowdart can you supply a link to information on securing Web APIs?

@blowdart

This comment has been minimized.

Copy link
Member

blowdart commented May 6, 2018

By enforcing HTTPS only? I don't think we have one.

@Rick-Anderson Rick-Anderson changed the title Do not use RequireHttpsAttribute on Web APIs that receive sensitive information New doc: Require HTTPS on Web APIs May 6, 2018

@Rick-Anderson

This comment has been minimized.

Copy link
Contributor

Rick-Anderson commented May 6, 2018

@blowdart changed the title to new doc: Require HTTPS on WebAPI

@Rick-Anderson

This comment has been minimized.

Copy link
Contributor

Rick-Anderson commented May 6, 2018

@blowdart or is the instructions good enough:

Not listen on HTTP.
Close the connection with status code 400 (Bad Request) and not serve the request.

@blowdart

This comment has been minimized.

Copy link
Member

blowdart commented May 6, 2018

I think we need to provide a page which talks about how.

@RehanSaeed

This comment has been minimized.

Copy link

RehanSaeed commented Jun 3, 2018

Perhaps the Basic Middleware repo should add a middleware to return 400 for HTTP requests?

This comment has been minimized.

Copy link

vankampenp commented Jun 28, 2018 — with docs.microsoft.com

If you have app.UseHsts() I assume that is valid for WebApi as well?

@asymmetricblue

This comment has been minimized.

Copy link

asymmetricblue commented Jun 29, 2018

@nbarbettini wrote a nice article on this topic.
https://www.recaffeinate.co/post/enforce-https-aspnetcore-api/

I think what is missing from both articles is guidance or a link for how to configure IIS to force HTTPS only. If you don't, and you abort in the middleware or return a 400, it is too late, the "secret" data has already been transmitted in the clear.

UseHsts doesn't seem to be enough on its own either as it requires a browser to have seen the header before sensitive data is sent. This isn't helpful if your "client" is not a browser.

This comment has been minimized.

Copy link

garfbradaz commented Dec 15, 2018 — with docs.microsoft.com

@blowdart / @Rick-Anderson: Was there an page written for Web APIs in the end? Or is @nbarbettini article good enough?

@Rick-Anderson

This comment has been minimized.

Copy link
Contributor

Rick-Anderson commented Dec 15, 2018

@garfbradaz we're still waiting for a doc by @blowdart

@vankampenp

This comment has been minimized.

Copy link

vankampenp commented Dec 15, 2018

@asymmetricblue
Thanks that helps.
Two thoughts:

  1. If the app has both razor pages and an API, it is not convenient to restrict IIS for the app to HTTPS, as users my just type in the domain, and expect to be redirected to HTTPS.
  2. Assuming the consumer will test using the API before production, it should be enough to just return an error on HTTP. (not redirect silently).
@garfbradaz

This comment has been minimized.

Copy link

garfbradaz commented Dec 16, 2018

@Rick-Anderson Thanks for the response on a Saturday matey 🥇 Waiting patiently for @blowdart ……. 🔢

@Rick-Anderson Rick-Anderson added PU and removed P2 labels Jan 22, 2019

This comment has been minimized.

Copy link

garfbradaz commented Mar 12, 2019 — with docs.microsoft.com

Still patiently waiting @Rick-Anderson.... ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.