| MovGP0 | Über mich | Hilfen | Artikel | Weblinks | Literatur | Zitate | Notizen | Programmierung | MSCert | Physik |
|
|
HTTP Strict Transport Security (HSTS)
Bearbeiten- Before the browser is redirected to HTTPS, a Men In The Middle attack is possible
- HSTS prevents the browser to use HTTP again for a given time.
- HSTS does not redirect but prevent access. use
chrome://net-internals/#hststo manage HSTS in Chrome.
Method 1: SSL mit RequireHttps Attribute
Bearbeiten- set "Enable SSL" in `Project Settings` ↦ `Debug` ↦ `Web Server Settings`
[RequireHttps]
public sealed class MyController : Controller
{
// ...
}
Method 2: SSL mit RequireHttps Attribute
Bearbeiten- set "Enable SSL" in `Project Settings` ↦ `Debug` ↦ `Web Server Settings`
- Startup.cs
public sealed class Startup
{
private IHostingEnvironment HostingEnvironment { get; }
public Startup(IHostingEnvironment hostingEnvironment)
{
HostingEnvironment = hostingEnvironment;
}
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
if(!HostingEnvironment.IsDevelopment())
{
services.Configure<MvcOptions>(o => o.Filters.Add(new RequireHttpsAttribute()));
}
// ...
}
}
Method 3: HSTS with NWebsec
BearbeitenNuGet: NWebsec.AspNetCore.Middleware
- Startup.cs
if (!env.IsDevelopment())
{
app.UseHsts(h => h.MaxAge(days: 356));
}
Method 3: SSL und HSTS with SecurityHeaders
BearbeitenNuGet: Joonasw.AspNetCore.SecurityHeaders
- Startup.cs
if (!env.IsDevelopment())
{
app.UseHttpsEnforcement();
app.UseHsts(new HstsOptions
{
Seconds = (int)Timespan.FromDays(30).TotalSeconds,
IncludeSubDomains = false,
Preload = false
});
}
Quellen
Bearbeiten- Joonas Westlin: HTTP Strict Transport Security (HSTS) in ASP.NET Core. 22. Januar 2017, abgerufen am 12. Mai 2017 (englisch).
|}