In my appsettings.json i added this line of code:
"Hsts": {
"HstsEnable": true
}
In launchSettings.json i added https://localhost:5000:
"applicationUrl": "http://localhost:5001;https://localhost:5000"
Then, in Program.cs i used this urls:
return WebHost.CreateDefaultBuilder(args)
.UseKestrel(x => x.AddServerHeader = false)
.UseUrls("http://localhost:5001", "https://localhost:5000")
.UseStartup<Startup>()
In startup class, in Configure method im getting Hsts value from appSettings.json:
if (Configuration.GetSection("Hsts").GetValue<bool>("HstsEnable"))
{
app.UseHsts();
}
app.UseHttpsRedirection();
After all this steps i cant get Strict-Transport-Security. All i get from response headers are:
cache-control: no-store,no-cache
content-type: application/json; charset=utf-8
pragma: no-cache
The Hsts cutted headers from response. Without all this lines of code (to set up hsts in my app) on top i get this response headers:
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers: Content-Disposition
cache-control: no-store,no-cache
content-type: application/json; charset=utf-8
date: Fri, 11 Oct 2019 09:21:30 GMT
pragma: no-cache
transfer-encoding: chunked
vary: Origin
x-frame-options: DENY
x-stackifyid: id
So something is wrong on this Hsts.
How to add HSTS header in response headers, that i mentioned above? Do i need to hardcode header to my Configure method?
context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000");
From the official documentation on HTTP Strict Transport Security Protocol (HSTS)
UseHsts excludes the following loopback hosts:
localhost : The IPv4 loopback address.
127.0.0.1 : The IPv4 loopback address.
[::1] : The IPv6 loopback address.
You could try to publish the web app and check the header Strict-Transport-Security.