Essentials of web security
When it comes to web security - HTTPS is one of the most important aspects and a starting point for almost every website. HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data sent from the user's web browser to the website. HTTPS encrypts data transferred over the internet, which helps to secure transactions, prevent hacking, and protect sensitive information. This protocol is especially crucial for websites that handle sensitive data, such as e-commerce sites, online banking, and any site that requires login and password credentials.
Understanding HTTPS redirection and HSTS
HTTPS Redirection: is a technique where HTTP requests are automatically redirected to their HTTPS counterparts, ensuring that all communication between the client and server is encrypted.
HTTP Strict Transport Security (HSTS): is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks by forcing web browsers to access the website over HTTPS only.
Configuring HTTPS Redirection in ASP.NET Core
Asp.Net Core provides built-in support for HTTPS redirection using a middleware. Lets have a look how to setup it:
1. Ensure HTTPS is enabled First, ensure that your Asp.Net Core application has an HTTPS endpoint. Check your appsettings.json and launchSettings.json. Out of the box Asp.Net Core includes a self-signed certificate for development purposes. For production, make sure to provide a valid SSL certificate.
2. Configure HTTPS redirection middleware
Add UseHttpsRedirection middleware in Program.cs or Startup.cs inside Configure method (for old projects):
csharpvar builder = WebApplication.CreateBuilder(args); var app = builder.Build(); app.UseHttpsRedirection(); await app.RunAsync();
By adding UseHttpsRedirection middleware you instruct your webapp to redirect all calls to HTTP endpoints to their HTTPS counterparts.
3. Configure temporary or permanent HTTPS redirection The default behaviour of UseHttpsRedirection middleware can be adjusted by calling AddHttpsRedirection method when creating a DI container:
csharpvar builder = WebApplication.CreateBuilder(args); builder.Services.AddHttpsRedirection(options => // options.RedirectStatusCode = (int)HttpStatusCode.TemporaryRedirect; // options.HttpsPort = 5001; options.RedirectStatusCode = (int)HttpStatusCode.PermanentRedirect; options.HttpsPort = 443; }); var app = builder.Build(); app.UseHttpsRedirection(); await app.RunAsync();
Permanent redirection is recommended for production environments.
Configuring HSTS in ASP.NET Core
After configuring HTTPS redirection you can enable HSTS in Asp.Net Core to force web browsers to access the website over HTTPS only.
1. Enable HSTS middleware Update your Program.cs or Startup.cs to add HSTS:
csharpvar builder = WebApplication.CreateBuilder(args); var app = builder.Build(); app.UseHsts(); // Add this line app.UseHttpsRedirection(); await app.RunAsync();
2. Adjust default HSTS settings
The default behaviour of UseHsts middleware can be adjusted by calling AddHsts method when creating a DI container:
csharpvar builder = WebApplication.CreateBuilder(args); builder.Services.AddHsts(options => options.Preload = true; options.IncludeSubDomains = true; options.MaxAge = TimeSpan.FromDays(60); options.ExcludedHosts.Add("test.com"); }); var app = builder.Build(); app.UseHttpsRedirection(); await app.RunAsync();