Add support for HTTP Strict Transport Security via an ActionFilter

[ghost]

Reposted here as requested by yishaigalatzer

I would like to propose adding an HTTP Strict Transport Security (HSTS) attribute into the core of ASP.NET MVC.

According to OWASP, HSTS protects users from a number of threats, in particular man-in-the-middle attacks by not only forcing encrypted sessions, but also stopping attackers who use invalid digital certificates.

Although developers can write the attribute themselves, I believe a fully test implementation would be a benefit and prevent inconsistencies within developer code (for example, developers may overlook the ability to add the sub domains suffix).

If you think that this feature would add value, I will happily submit the code via a PR.

[yishaigalatzer]

@GrabYourPitchforks @blowdart Can you guys take a look at this suggestion?

[GrabYourPitchforks]

Neat idea, but this doesn't really belong as a filter / attribute. HSTS applies to the site as a whole, not just MVC endpoints. So it's really better off as a site-wide middleware / module.

[yishaigalatzer]

@sblackler thanks for your suggestion! Like @GrabYourPitchforks says the idea has merit.

We discussed this and what we would like to suggest that you build a middleware (and publish as nuget package).

We can take a look and try it out, and if it fits into aspnet vNext core, we would take it as a PR. The PR will probably go in another repo (perhaps security but we are not certain yet) let's give your middleware a spin and we can make that decision later.

Once you have it ready, please file an issue in the home or security repos and we can proceed from there.

Thanks!

[yishaigalatzer]

Please note I'm marking as won't fix just because it's our way to track that no work actually happened for this bug. Like I mentioned above we are interesting in this fix.