I was doing research for implementing (and enforcing) HTTPS on an ASP.NET Core 2 application, and I saw Enforcing HTTPS in an ASP.NET Core app, but it got me confused. It mentions two methods: using RequireHttpsAttribute or using a URL rewrite, but in the warning at the beginning of the page, they mention that do NOT use RequireHttpsAttribute because it's doing a redirect, but isn't it what the URL rewrite is also doing? So, are we able to use any of them for Web APIs even if they receive "sensitive information" (as mentioned in the warning in the docs page).
Also, I have heard about HSTS, and I did some research, but it doesn't seem to me that there's a standard implementation for it in ASP.NET Core. I stumbled upon a few NuGet packages, but I couldn't find one from a more "official" provider.
Can you help me understand this please?
Your confusion may lie in that the goal of the article is about a non-WebAPI application. Thus the warning - do not apply to WebAPI's. Do not use either of the methods for WebAPI's.
Users that connect to an application on http://example.com (by typing the url in a browser) should be redirected to https://example.com. This may be done using one of the two methods.
Applications that connect to http://webapi.example.com (like a web application) should be NOT be redirected to https://webapi.example.com. Port 80 should either be closed or return status 400 (for nginx and IIS, change the status codes in these answers to 400).
Users cannot be burdened with technical security details. Developers, however, should be fully aware and can do the connection directly to https without any redirect what so ever.
Considering your second remark about "official" support for HSTS, take a look at this sample from the asp.net core docs. To be fair, this was only committed a few months ago (as part of 2.1 milestone) as of this writing, not a lot of documentation yet.