Benutzer:MovGP0/ASP.NET Core/HSTS
Zur Navigation springen
Zur Suche springen
| MovGP0 | Über mich | Hilfen | Artikel | Weblinks | Literatur | Zitate | Notizen | Programmierung | MSCert | Physik |
|
|
HTTP Strict Transport Security (HSTS)
[Bearbeiten | Quelltext bearbeiten]- Before the browser is redirected to HTTPS, a Men In The Middle attack is possible
- HSTS prevents the browser to use HTTP again for a given time.
- HSTS does not redirect but prevent access. use
chrome://net-internals/#hststo manage HSTS in Chrome.
Method 1: SSL mit RequireHttps Attribute
[Bearbeiten | Quelltext bearbeiten]- set "Enable SSL" in `Project Settings` ↦ `Debug` ↦ `Web Server Settings`
[RequireHttps]
public sealed class MyController : Controller
{
// ...
}
Method 2: SSL mit RequireHttps Attribute
[Bearbeiten | Quelltext bearbeiten]- set "Enable SSL" in `Project Settings` ↦ `Debug` ↦ `Web Server Settings`
- Startup.cs
public sealed class Startup
{
private IHostingEnvironment HostingEnvironment { get; }
public Startup(IHostingEnvironment hostingEnvironment)
{
HostingEnvironment = hostingEnvironment;
}
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
if(!HostingEnvironment.IsDevelopment())
{
services.Configure<MvcOptions>(o => o.Filters.Add(new RequireHttpsAttribute()));
}
// ...
}
}
Method 3: HSTS with NWebsec
[Bearbeiten | Quelltext bearbeiten]NuGet: NWebsec.AspNetCore.Middleware
- Startup.cs
if (!env.IsDevelopment())
{
app.UseHsts(h => h.MaxAge(days: 356));
}
Method 3: SSL und HSTS with SecurityHeaders
[Bearbeiten | Quelltext bearbeiten]NuGet: Joonasw.AspNetCore.SecurityHeaders
- Startup.cs
if (!env.IsDevelopment())
{
app.UseHttpsEnforcement();
app.UseHsts(new HstsOptions
{
Seconds = (int)Timespan.FromDays(30).TotalSeconds,
IncludeSubDomains = false,
Preload = false
});
}
Quellen
[Bearbeiten | Quelltext bearbeiten]- Joonas Westlin: HTTP Strict Transport Security (HSTS) in ASP.NET Core. 22. Januar 2017, abgerufen am 12. Mai 2017 (englisch).
|}