Azure Kubernetes Service (AKS) uses Application Gateway Ingress Controller (AGIC) : How to implement HSTS header in ASP.Net Core 6.0?
An action item from the security scan is to implement HSTS header in ASP.Net Core 6.0 WebAPI.
A WebAPI application is deployed on AKS using Application Gateway Ingress Controller. SSL termination occurs at the Application Gateway. Application Gateway Ingress Controllers and PODs communicate using HTTP.
In this case, is it necessary to implement HSTS? In that case, what infrastructure requirements are needed?
The HSTS header is a browser only instruction. It informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
In this case, is it necessary to implement HSTS?
If your application hosted in AKS is a web application which will load in browser then, yes. However, as you mentioned, if it is only an API then it does not make much sense.
This is also documented on MSDN:
HSTS is generally a browser only instruction. Other callers, such as phone or desktop apps, do not obey the instruction. Even within browsers, a single authenticated call to an API over HTTP has risks on insecure networks. The secure approach is to configure API projects to only listen to and respond over HTTPS.
That said, assuming your application is a web application, to implement it with AGIC, you will have to first configure rewrite ruleset on the app gateway. This can be done from portal or with PowerShell:
# Create RuleSet
$responseHeaderConfiguration = New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "Strict-Transport-Security" -HeaderValue "max-age=31536000; includeSubDomains; preload"
$actionSet = New-AzApplicationGatewayRewriteRuleActionSet -ResponseHeaderConfiguration $responseHeaderConfiguration
$rewriteRule = New-AzApplicationGatewayRewriteRule -Name HSTSHeader -ActionSet $actionSet
$rewriteRuleSet = New-AzApplicationGatewayRewriteRuleSet -Name SecurityHeadersRuleSet -RewriteRule $rewriteRule
# apply the ruleset to your app gateway
$appgw = Get-AzApplicationGateway -Name "yourgw" -ResourceGroupName "yourgw-rg"
Add-AzApplicationGatewayRewriteRuleSet -ApplicationGateway $appgw -Name $rewriteRuleSet.Name -RewriteRule $rewriteRuleSet.RewriteRules
Set-AzApplicationGateway -ApplicationGateway $appgw
Next, to map the RuleSet to your ingress path, use the annotation on your ingress definition to reference the Ruleset:
appgw.ingress.kubernetes.io/rewrite-rule-set: SecurityHeadersRuleSet
- What will happen to evicted pods in kubernetes?
- Mongo DB deployment not working in kubernetes because processor doesn't have AVX support
- Flux not decrypting using SOPS
- Python Kubernetes Client: equivalent of kubectl api-resources --namespaced=false
- Not possible to use containers in Azure Pipelines self-hosted agents deployed as Azure K8s pods
- My kubernetes pods keep crashing with "CrashLoopBackOff" but I can't find any log
- GKE autoscaling
- how do I enable mount propagation in Rancher - Kubernetes feature gates?
- How to resolve unmet dependencies between containerd and runc?
- Shell (ssh) into Azure AKS (Kubernetes) cluster worker node
- How to enable Calico network policy on the existing AKS cluster
- Azure Kubernetes Service (AKS) uses Application Gateway Ingress Controller (AGIC) : How to implement HSTS header in ASP.Net Core 6.0?
- TLS Termination in K8S Gateway API (azure implementation) Resource?
- Any python client method available to get/set env variables of kubernetes deployment
- In Kubernetes, how can I scale a Deployment to zero when idle
- ClusterIssuer Failed to register ACME account: secret already exists
- kubectl - How to restart a deployment (or all deployment)
- Docker Desktop 1node Kubernetes Jenkins share docker.sock from host into agent docker container
- How can I get the prometheus metrics for informer watch operation latency?
- How do I get a certificate (public and private key) into a windows container in AKS?
- How to manage persistent connections in kubernetes
- Port 6443 connection refused when setting up kubernetes
- HashiCorp Vault 403 Permission Denied issue with Kubernetes Auth
- Argo Workflow always using default serviceaccount
- How to skip helm tests deployment in Grafana Tanka
- Unable to Copy data from POD to local using kubectl cp command
- Node had taints that the pod didn't tolerate error when deploying to Kubernetes cluster
- Should Health Checks call other App Health Checks
- AWS EKS External DNS keeps deleting and recreating records
- Helm installation command: connection reset by peer