Add support for HTTP Strict Transport Security #31
Comments
|
Side note: Your implementation won't work in many scenarios. The response headers can be sent during the call to Next, so changes done after Next may fail. You should move all that logic to the OnSendingHeaders event. See http://owin.org/spec/CommonKeys.html |
|
Ah, I didn't realise that was there. I'll fix that this evening when I get a chance. |
|
Updated to use OnSendingHeaders (commit: https://github.com/sblackler/Owin.Hsts/commit/f69e78df94ccfabc1fd8000717717cf42d9201b7) |
|
Given multiple implementations, including nwebsec from @klings I don't feel providing a more limited middleware is that useful. |
|
@blowdart thanks for the info about nwebsec. Didn't realise that existed (don't know if it did a year a go when I started this). I think it would be good to raise awareness for stuff like this, maybe through a blog post or something? :) |
|
That would be a good idea. I'll find someone that blogs and poke them with a stick. |
Continuing discussion from aspnet/Mvc#744 (comment)
I would like to propose adding an HTTP Strict Transport Security (HSTS) attribute into the core of ASP.NET. According to OWASP, HTTP Strict Transport Security (HSTS) protects users from a number of threats, in particular man-in-the-middle attacks by not only forcing encrypted sessions, but also stopping attackers who use invalid digital certificates.
Although developers can write middleware themselves, I believe a fully test implementation would be a benefit and prevent inconsistencies within developer code (for example, developers may overlook the ability to add the sub domains suffix).
Following the advice of the previously mentioned thread, I have created a NuGet package with a test implementation here, with the project site be located here.
If you think that this feature would add value, I will happily submit the code via a PR.
cc/ @yishaigalatzer
The text was updated successfully, but these errors were encountered: