HTTP Strict Transport Security Protocol (HSTS)

Published Jan 22 2020 05:16 AM 2,534 Views
Microsoft

Recently, I came across an interesting problem. Whenever we browse the website over HTTP, I see browser forces all the communication over HTTPS. Website has developed in ASP.NET Core API template.

 

Collected following data to understand this behavior:

 

1. Fiddler trace:

 

I could see that the browser directly makes the request over https and digging further into Fiddler traces for the reason why, could see the header "Strict-Transport-Security" in the response from the server for a previous https request.

 

Sample fiddler trace:

GET https://test.abc.com/Module.API/api/ HTTP/1.1
Host: test.abc.com
Connection: keep-alive
Authorization: Negotiate YIIKEQYGKwYBBQUCoIIKBTCCCklgnsdlfu34895u3405ergfdfgm8934hefCAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCcsEggnHYIIJwwYJKoZIhvcSAQICAQBuggmyMIIJrqADAgEFoQMCAQ6iBwMFACAAAACjggfnYYIH4zCCB9+gAwIBBaEKGwhDR1NILkNPTaIpMCegAwIBAqEgMB4bBEhUVFAbFmFtMmNnYXBwc3RnMDQuY2dzaC5jb22jggefMIIHm6ADAgESoQMCAQmiggeNBIIHiXhgXMVJU1v28PSZcfjc2tOelvsuSUzmorwlFqfgYZiRZd8a7ExivC+XZiCCCvYb/NLMFAEaZfxqsj7FGhTKSSrZ0+sRb6rNH/vbVC7rqyyOhE5bjsdafhbvsdkfbsdkfsnfnsdlfnHH/eZcTh4RmNYAGfJo39JJIHC4Xuy7yagKTaTBM5duo6/QjZtuqUygiit81c24550qUlFHaoYi44eboSXXaO68veqxuUf2PItUtfIt5RsZW5uXgFz0CRWvqGsVapzYa/pjYWqFhBIRxEuyrdfghul8/lemzQkEmD3lxCOCdUbq0dflmsdkfjbYMgXwFPWaUb2v9dmNyIsmc5+nyOudLnxBWuZVr75y6VVatu5cHL57d7v2NTMamNMg+h2PxnU8gNFdi48t3huvCOeyAOqicHyv1c8l5as+p8W+mvAOwvA9QsCVJNb3uFGqf5yt5H370MW7WDgmfltagykz1CKr+x3nFxG2ahpiFKpSRA1KTB7oJgsLxXoMiDXUPYJK/tu7IjkUSBaCakAwCz5hHrIaNaBd9Xcec3qKTVDYklyQk5qWo+A2pt1JXxPt5LP/M3UxF1iKkfnjsdklfjnhsdqMffV5niDllft5hwNpxHtPOZ4c3j1+sfu+YY1/fsd5qI4bpBOxC3YK5hcJldQ34WaYRIAqLSWOO8emtinMjHj51neLLEp4FxZSXT8k33fY0492al2VvqGQCSgfk8tVce1h4rRejKGxgghjFa6PUvVhY19iSU2vnLomWoO6fUheOvf5HfZ0w4B3chBLYkAh/ll3dxfu+Gm7dLAUAuzqZIt4n9UYJOyIlLvcRnIw0MSCYVcHV646kniXRaixw2aUFhXIPjk8K1IUC78SGZAfz9th8MRwPwZqBg2uxbJqweGTC1V+vM4f/i1X0WIvxM/QzmGkEyt26vGfacrdjIGDt5EfuvU8t/F/BYXh0XPkjp7jlIKI4sRpNnnH4giPRlhnswL2MArlvBL03q /NEbJ77YaTcof15QibrvSasdsvhadjsad7m6iTkWdGchv3KoaGHrgrCqTZWl64ik4M7iO9aug4LL21HDQMkHAlOyG36Gjr/Vz2lS0hfica2IvxE80tzxoThv2nz5DXcWZMLevgy8VNAhJS48v5ush+GUXTpEDoOYUAvcNfbqwY0Y5xrjxsCNUuVcRdCmO4jFYTgpVgyts/2wBYp1xw42gbx1Cq5KN+p0ViEf+PSQXg==
Accept: application/json, text/plain, */*
Origin: http://test.abc.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Referer: http://test.abc.com/Module/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Vary: Origin
Server: Kestrel
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://test.abc.com
Strict-Transport-Security: max-age=2592000
Persistent-Auth: true
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYG2MIGzoAMsdhkfbsdkjfsdnfjknsdfsdfsdfsdfsdfsdfsdfsadfsdfYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCasnmfbaskjdbhkdjsnadkj4sd5CbptpCO0v4tvWvQKMco745S1TnexO8DAyiFisfkjsdhfkjsdfhjksdfhkjsdfhYsTanvczTYCXEQ3vCzghafdghasdflb4/SDsdasdsasdNBb1E=
Date: Wed, 16 Oct 2019 15:11:18 GMT
Content-Length: 175

 

2. FREB trace:

 

Collected FREB traces to see who is setting the header.

 

Sample FREB trace:

67. NOTIFY_MODULE_START ModuleName="AspNetCoreModule", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotification="false" 15:11:16.463
68. GENERAL_SET_REQUEST_HEADER HeaderName="MS-ASPNETCORE-TOKEN", HeaderValue="48e345b8-404c-4891-934b-5f6b58489014", Replace="true" 15:11:17.260
69. GENERAL_SET_REQUEST_HEADER HeaderName="MS-ASPNETCORE-WINAUTHTOKEN", HeaderValue="63c", Replace="true" 15:11:17.260
70. GENERAL_SET_REQUEST_HEADER HeaderName="X-Forwarded-For", HeaderValue="10.0.0.1:50010", Replace="true" 15:11:17.260
71. GENERAL_SET_REQUEST_HEADER HeaderName="X-Forwarded-Proto", HeaderValue="https", Replace="true" 15:11:17.260
72. GENERAL_SET_REQUEST_HEADER HeaderName="MS-ASPNETCORE-CLIENTCERT", HeaderValue="", Replace="true" 15:11:17.260
73. GENERAL_SET_REQUEST_HEADER HeaderName="Connection", HeaderValue="", Replace="true" 15:11:17.260
74. GENERAL_SET_RESPONSE_HEADER HeaderName="Content-Type", HeaderValue="application/json; charset=utf-8", Replace="true" 15:11:18.744
75. GENERAL_SET_RESPONSE_HEADER HeaderName="Server", HeaderValue="Kestrel", Replace="true" 15:11:18.744
76. GENERAL_SET_RESPONSE_HEADER HeaderName="Vary", HeaderValue="Origin", Replace="true" 15:11:18.744
77. GENERAL_SET_RESPONSE_HEADER HeaderName="Access-Control-Allow-Credentials", HeaderValue="true", Replace="false" 15:11:18.744
78. GENERAL_SET_RESPONSE_HEADER HeaderName="Access-Control-Allow-Origin", HeaderValue="http://test.abc.com", Replace="false" 15:11:18.744
79. GENERAL_SET_RESPONSE_HEADER HeaderName="Strict-Transport-Security", HeaderValue="max-age=2592000", Replace="false" 15:11:18.744
80. NOTIFY_MODULE_COMPLETION ModuleName="AspNetCoreModule", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotificationEvent="false", CompletionBytes="0", ErrorCode="The operation completed successfully.
(0x0)" 15:11:18.744

 

OBSERVATION & CAUSE:

 

- We can enable HSTS in IIS, configuration files and application code logic. But in this scenario, we didn’t see any HSTS configuration either in IIS or in configuration files.

 

- We came to know that UseHsts function was configured in the application code.

 

- Looks like HSTS is getting enforced in the application code.

 

RECOMMENDATION:

 

If HSTS is not enabled in IIS or configuration files, then try to revisit the application code and check whether you are using following function in Configure method:

 

app.UseHttpsRedirection();

app.UseHsts();

%3CLINGO-SUB%20id%3D%22lingo-sub-1122386%22%20slang%3D%22en-US%22%3EHTTP%20Strict%20Transport%20Security%20Protocol%20(HSTS)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1122386%22%20slang%3D%22en-US%22%3E%3CP%3ERecently%2C%20I%20came%20across%20an%20interesting%20problem.%20Whenever%20we%20browse%20the%20website%20over%20HTTP%2C%20I%20see%20browser%20forces%20all%20the%20communication%20over%20HTTPS.%20Website%20has%20developed%20in%20ASP.NET%20Core%20API%20template.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3ECollected%20following%20data%20to%20understand%20this%20behavior%3C%2FU%3E%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E1.%20Fiddler%20trace%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EI%20could%20see%20that%20the%20browser%20directly%20makes%20the%20request%20over%20https%20and%20digging%20further%20into%20Fiddler%20traces%20for%20the%20reason%20why%2C%20could%20see%20the%20header%20%22Strict-Transport-Security%22%20in%20the%20response%20from%20the%20server%20for%20a%20previous%20https%20request.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20bold%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ESample%20fiddler%20trace%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EGET%20%3CA%20href%3D%22https%3A%2F%2Ftest.abc.com%2FModule.API%2Fapi%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Ftest.abc.com%2FModule.API%2Fapi%2F%3C%2FA%3E%20HTTP%2F1.1%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EHost%3A%20test.abc.com%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EConnection%3A%20keep-alive%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EAuthorization%3A%20Negotiate%20YIIKEQYGKwYBBQUCoIIKBTCCCklgnsdlfu34895u3405ergfdfgm8934hefCAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCcsEggnHYIIJwwYJKoZIhvcSAQICAQBuggmyMIIJrqADAgEFoQMCAQ6iBwMFACAAAACjggfnYYIH4zCCB9%2BgAwIBBaEKGwhDR1NILkNPTaIpMCegAwIBAqEgMB4bBEhUVFAbFmFtMmNnYXBwc3RnMDQuY2dzaC5jb22jggefMIIHm6ADAgESoQMCAQmiggeNBIIHiXhgXMVJU1v28PSZcfjc2tOelvsuSUzmorwlFqfgYZiRZd8a7ExivC%2BXZiCCCvYb%2FNLMFAEaZfxqsj7FGhTKSSrZ0%2BsRb6rNH%2FvbVC7rqyyOhE5bjsdafhbvsdkfbsdkfsnfnsdlfnHH%2FeZcTh4RmNYAGfJo39JJIHC4Xuy7yagKTaTBM5duo6%2FQjZtuqUygiit81c24550qUlFHaoYi44eboSXXaO68veqxuUf2PItUtfIt5RsZW5uXgFz0CRWvqGsVapzYa%2FpjYWqFhBIRxEuyrdfghul8%2FlemzQkEmD3lxCOCdUbq0dflmsdkfjbYMgXwFPWaUb2v9dmNyIsmc5%2BnyOudLnxBWuZVr75y6VVatu5cHL57d7v2NTMamNMg%2Bh2PxnU8gNFdi48t3huvCOeyAOqicHyv1c8l5as%2Bp8W%2BmvAOwvA9QsCVJNb3uFGqf5yt5H370MW7WDgmfltagykz1CKr%2Bx3nFxG2ahpiFKpSRA1KTB7oJgsLxXoMiDXUPYJK%2Ftu7IjkUSBaCakAwCz5hHrIaNaBd9Xcec3qKTVDYklyQk5qWo%2BA2pt1JXxPt5LP%2FM3UxF1iKkfnjsdklfjnhsdqMffV5niDllft5hwNpxHtPOZ4c3j1%2Bsfu%2BYY1%2Ffsd5qI4bpBOxC3YK5hcJldQ34WaYRIAqLSWOO8emtinMjHj51neLLEp4FxZSXT8k33fY0492al2VvqGQCSgfk8tVce1h4rRejKGxgghjFa6PUvVhY19iSU2vnLomWoO6fUheOvf5HfZ0w4B3chBLYkAh%2Fll3dxfu%2BGm7dLAUAuzqZIt4n9UYJOyIlLvcRnIw0MSCYVcHV646kniXRaixw2aUFhXIPjk8K1IUC78SGZAfz9th8MRwPwZqBg2uxbJqweGTC1V%2BvM4f%2Fi1X0WIvxM%2FQzmGkEyt26vGfacrdjIGDt5EfuvU8t%2FF%2FBYXh0XPkjp7jlIKI4sRpNnnH4giPRlhnswL2MArlvBL03q%20%2FNEbJ77YaTcof15QibrvSasdsvhadjsad7m6iTkWdGchv3KoaGHrgrCqTZWl64ik4M7iO9aug4LL21HDQMkHAlOyG36Gjr%2FVz2lS0hfica2IvxE80tzxoThv2nz5DXcWZMLevgy8VNAhJS48v5ush%2BGUXTpEDoOYUAvcNfbqwY0Y5xrjxsCNUuVcRdCmO4jFYTgpVgyts%2F2wBYp1xw42gbx1Cq5KN%2Bp0ViEf%2BPSQXg%3D%3D%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EAccept%3A%20application%2Fjson%2C%20text%2Fplain%2C%20*%2F*%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EOrigin%3A%20%3CA%20href%3D%22http%3A%2F%2Ftest.abc.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Ftest.abc.com%3C%2FA%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EUser-Agent%3A%20Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F76.0.3809.132%20Safari%2F537.36%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3ESec-Fetch-Mode%3A%20cors%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3ESec-Fetch-Site%3A%20same-site%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EReferer%3A%20%3CA%20href%3D%22http%3A%2F%2Ftest.abc.com%2FModule%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Ftest.abc.com%2FModule%2F%3C%2FA%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EAccept-Encoding%3A%20gzip%2C%20deflate%2C%20br%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EAccept-Language%3A%20en-US%2Cen%3Bq%3D0.9%3C%2FFONT%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EHTTP%2F1.1%20200%20OK%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EContent-Type%3A%20application%2Fjson%3B%20charset%3Dutf-8%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EVary%3A%20Origin%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EServer%3A%20Kestrel%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EAccess-Control-Allow-Credentials%3A%20true%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EAccess-Control-Allow-Origin%3A%20%3CA%20href%3D%22http%3A%2F%2Ftest.abc.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttp%3A%2F%2Ftest.abc.com%3C%2FA%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20color%3D%22%230000ff%22%3EStrict-Transport-Security%3A%20max-age%3D2592000%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EPersistent-Auth%3A%20true%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EX-Powered-By%3A%20ASP.NET%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EWWW-Authenticate%3A%20Negotiate%20oYG2MIGzoAMsdhkfbsdkjfsdnfjknsdfsdfsdfsdfsdfsdfsdfsadfsdfYIGYBgkqhkiG9xIBAgICAG%2BBiDCBhaADAgEFoQMCAQ%2BieTB3oAMCasnmfbaskjdbhkdjsnadkj4sd5CbptpCO0v4tvWvQKMco745S1TnexO8DAyiFisfkjsdhfkjsdfhjksdfhkjsdfhYsTanvczTYCXEQ3vCzghafdghasdflb4%2FSDsdasdsasdNBb1E%3D%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EDate%3A%20Wed%2C%2016%20Oct%202019%2015%3A11%3A18%20GMT%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%3EContent-Length%3A%20175%3C%2FFONT%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E2.%20FREB%20trace%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ECollected%20FREB%20traces%20to%20see%20who%20is%20setting%20the%20header.%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20bold%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3ESample%20FREB%20trace%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%3CFONT%20face%3D%22courier%20new%2Ccourier%22%20size%3D%222%22%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E67.%20NOTIFY_MODULE_START%20ModuleName%3D%3CSTRONG%3E%3CFONT%20color%3D%22%230000ff%22%3E%22AspNetCoreModule%22%2C%20Notification%3D%22EXECUTE_REQUEST_HANDLER%22%2C%20fIsPostNotification%3D%22false%22%3C%2FFONT%3E%3C%2FSTRONG%3E%2015%3A11%3A16.463%3CBR%20%2F%3E68.%20GENERAL_SET_REQUEST_HEADER%20HeaderName%3D%22MS-ASPNETCORE-TOKEN%22%2C%20HeaderValue%3D%2248e345b8-404c-4891-934b-5f6b58489014%22%2C%20Replace%3D%22true%22%2015%3A11%3A17.260%3CBR%20%2F%3E69.%20GENERAL_SET_REQUEST_HEADER%20HeaderName%3D%22MS-ASPNETCORE-WINAUTHTOKEN%22%2C%20HeaderValue%3D%2263c%22%2C%20Replace%3D%22true%22%2015%3A11%3A17.260%3CBR%20%2F%3E70.%20GENERAL_SET_REQUEST_HEADER%20HeaderName%3D%22X-Forwarded-For%22%2C%20HeaderValue%3D%2210.0.0.1%3A50010%22%2C%20Replace%3D%22true%22%2015%3A11%3A17.260%3CBR%20%2F%3E71.%20GENERAL_SET_REQUEST_HEADER%20HeaderName%3D%22X-Forwarded-Proto%22%2C%20HeaderValue%3D%22https%22%2C%20Replace%3D%22true%22%2015%3A11%3A17.260%3CBR%20%2F%3E72.%20GENERAL_SET_REQUEST_HEADER%20HeaderName%3D%22MS-ASPNETCORE-CLIENTCERT%22%2C%20HeaderValue%3D%22%22%2C%20Replace%3D%22true%22%2015%3A11%3A17.260%3CBR%20%2F%3E73.%20GENERAL_SET_REQUEST_HEADER%20HeaderName%3D%22Connection%22%2C%20HeaderValue%3D%22%22%2C%20Replace%3D%22true%22%2015%3A11%3A17.260%3CBR%20%2F%3E74.%20GENERAL_SET_RESPONSE_HEADER%20HeaderName%3D%22Content-Type%22%2C%20HeaderValue%3D%22application%2Fjson%3B%20charset%3Dutf-8%22%2C%20Replace%3D%22true%22%2015%3A11%3A18.744%3CBR%20%2F%3E75.%20GENERAL_SET_RESPONSE_HEADER%20HeaderName%3D%22Server%22%2C%20HeaderValue%3D%22Kestrel%22%2C%20Replace%3D%22true%22%2015%3A11%3A18.744%3CBR%20%2F%3E76.%20GENERAL_SET_RESPONSE_HEADER%20HeaderName%3D%22Vary%22%2C%20HeaderValue%3D%22Origin%22%2C%20Replace%3D%22true%22%2015%3A11%3A18.744%3CBR%20%2F%3E77.%20GENERAL_SET_RESPONSE_HEADER%20HeaderName%3D%22Access-Control-Allow-Credentials%22%2C%20HeaderValue%3D%22true%22%2C%20Replace%3D%22false%22%2015%3A11%3A18.744%3CBR%20%2F%3E78.%20GENERAL_SET_RESPONSE_HEADER%20HeaderName%3D%22Access-Control-Allow-Origin%22%2C%20HeaderValue%3D%22http%3A%2F%2Ftest.abc.com%22%2C%20Replace%3D%22false%22%2015%3A11%3A18.744%3CBR%20%2F%3E79.%20GENERAL_SET_RESPONSE_HEADER%20HeaderName%3D%3CSTRONG%3E%3CFONT%20color%3D%22%230000ff%22%3E%22Strict-Transport-Security%22%2C%20HeaderValue%3D%22max-age%3D2592000%22%2C%20Replace%3D%22false%22%3C%2FFONT%3E%3C%2FSTRONG%3E%2015%3A11%3A18.744%3CBR%20%2F%3E80.%20NOTIFY_MODULE_COMPLETION%20ModuleName%3D%22AspNetCoreModule%22%2C%20Notification%3D%22EXECUTE_REQUEST_HANDLER%22%2C%20fIsPostNotificationEvent%3D%22false%22%2C%20CompletionBytes%3D%220%22%2C%20ErrorCode%3D%22The%20operation%20completed%20successfully.%3CBR%20%2F%3E(0x0)%22%2015%3A11%3A18.744%3C%2FFONT%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOBSERVATION%20%26amp%3B%20CAUSE%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20We%20can%20enable%20HSTS%20in%20IIS%2C%20configuration%20files%20and%20application%20code%20logic.%20But%20in%20this%20scenario%2C%20we%20didn%E2%80%99t%20see%20any%20HSTS%20configuration%20either%20in%20IIS%20or%20in%20configuration%20files.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20We%20came%20to%20know%20that%20%3CSTRONG%3EUseHsts%3C%2FSTRONG%3E%20function%20was%20configured%20in%20the%20application%20code.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20Looks%20like%20HSTS%20is%20getting%20enforced%20in%20the%20application%20code.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ERECOMMENDATION%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20HSTS%20is%20not%20enabled%20in%20IIS%20or%20configuration%20files%2C%20then%20try%20to%20revisit%20the%20application%20code%20and%20check%20whether%20you%20are%20using%20following%20function%20in%20Configure%20method%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Eapp.UseHttpsRedirection()%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Eapp.UseHsts()%3B%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jan 22 2020 07:53 AM
Updated by: