Strict Transport Security header missed in API response

Kumar, Vipin [ext] 20

Hi Team,

We are using the .Net core 8.0(long term support version) for our .Net Core services , we enabled the HSTS at service level by using the

// HSTS Security Headers 
services.AddHsts(options =>
{
options.Preload = true;
options.IncludeSubDomains = true;
options.MaxAge = TimeSpan.FromHours(1);
});
 app.UseHsts();

But when we deployed the services on our stage env and try to call the api and verify the response header Strict Transport Security we missed in response.

pls help me to trouble shoot this.

Kumar, Vipin [ext] 20

Hi Still faced the same issue after applying all the possible combination.

This is code for my startup.cs file that include the HSTS configuration.

using Azure.Identity;

using Azure.Monitor.Query;

using emory.app.service.config;

using emory.app.service.cosmosdb.Extensions;

using emory.app.service.filter;

using emory.app.service.http.client;

using emory.app.service.http.client.Interfaces;

using emory.app.service.mediastorage;

using emory.app.service.mediastorage.Interfaces;

using emory.app.service.model.hdp;

using emory.app.service.redis.implementation;

using emory.app.service.redis.interfaces;

using emory.app.service.servicebus.Publishers;

using emory.app.service.servicebus.Publishers.Interfaces;

using emory.hdp.service.api.extensions;

using emory.hdp.service.api.HealthCheck;

using emory.hdp.service.client.implementation;

using emory.hdp.service.client.interfaces;

using emory.hdp.service.eventhandler;

using emory.hdp.service.eventhandler.Identity;

using emory.hdp.service.eventhandler.Interfaces;

using emory.hdp.service.eventpublisher;

using emory.hdp.service.eventpublisher.Identity;

using emory.hdp.service.eventpublisher.Interfaces;

using emory.hdp.service.repository.implementation;

using emory.hdp.service.repository.interfaces;

using emory.hdp.service.service;

using emory.hdp.service.service.implementation;

using emory.hdp.service.service.interfaces;

using emory.hdp.service.storage;

using emory.hdp.service.storage.Interfaces;

using Microsoft.AspNetCore.Builder;

using Microsoft.AspNetCore.Hosting;

using Microsoft.AspNetCore.Http;

using Microsoft.Extensions.Azure;

using Microsoft.Extensions.Configuration;

using Microsoft.Extensions.DependencyInjection;

using Microsoft.Extensions.Diagnostics.HealthChecks;

using Microsoft.Extensions.Hosting;

using Microsoft.OpenApi.Models;

using StackExchange.Redis;

using System;

using System.Diagnostics.CodeAnalysis;

using System.IO;

using System.Linq;

using System.Net;

using emoryConfig = emory.app.service.config;

using hdpConfig = emory.hdp.service.core.Config;

namespace emory.hdp.service.api

{

/// <summary>

/// Startup

/// </summary>

[ExcludeFromCodeCoverage]

public class Startup

{

    readonly string _AllowedSpecificOrigins = "EmoryAllowedSpecificOrigins";

    /// <summary>

    /// Startup

    /// </summary>

    /// <param name="configuration"></param>

    public Startup(IConfiguration configuration)

    {

        Configuration = configuration;

    }

    /// <summary>

    /// Configuration

    /// </summary>

    public IConfiguration Configuration { get; }

    /// <summary>

    /// ConfigureServices

    /// </summary>

    /// <param name="services"></param>

    // This method gets called by the runtime. Use this method to add services to the container.

    public void ConfigureServices(IServiceCollection services)

    {

        ReadConfig();

        services.AddControllers(ops => ops.Filters.Add(typeof(ModelValidationFilter)))

            .AddJsonOptions(opts => opts.JsonSerializerOptions.PropertyNamingPolicy = null);

        services.AddApiVersioning(x => { x.ReportApiVersions = true; x.UseApiBehavior = false; });

        services.AddCustomAuthentication(Configuration);

        services.AddAzureClients(builder =>

        {

            try

            {

                builder.AddClient<LogsQueryClient,DefaultAzureCredentialOptions>(options => {

                   var defaultAzureCredentialOptions = new DefaultAzureCredentialOptions { ManagedIdentityClientId = Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId] };

                   return  new LogsQueryClient(new DefaultAzureCredential(defaultAzureCredentialOptions));                        

                });

                builder.UseCredential(new DefaultAzureCredential());

            }

            catch (Exception ex)

            {

                throw new Exception($"Error loading AddAzureClient: {Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]}", ex);

            }

        });

        // The following line enables Application Insights telemetry collection.

        //services.AddApplicationInsightsTelemetry(Configuration[hdpConfig.AppConfigConstants.HDP_Service_Appinsights_Instrumentationkey]);

        services.AddApplicationInsightsTelemetry(opt => {

            opt.EnablePerformanceCounterCollectionModule = false;

            opt.ConnectionString = Configuration[hdpConfig.AppConfigConstants.HDP_Service_Appinsights_Instrumentationkey];

        });

        services.AddSingleton<IExternalApiExectionHelperService, ExternalApiExecutionHelperService>();

        

        services.AddSingleton<IHDPAlgoResultService, HDPAlgoResultService>();

        services.AddSingleton<IHDPVTAlgoResultService, HDPVTAlgoResultService>();

        services.AddSingleton<IHDPVideoRepositroy, HDPVideoRepository>();

        services.AddSingleton<IRecycleBinRepository, RecycleBinRepository>();

        services.AddSingleton<IKPIMetricRepository, KPIMetricRepository>();

        services.AddSingleton<IHDPAlgoResultRepositroy, HDPAlgoResultRepositroy>();

        services.AddSingleton<IHDPVTAlgoResultRepositroy, HDPVTAlgoResultRepositroy>();

        services.AddSingleton<IHDPVideoService, HDPVideoService>();

        services.AddSingleton<IHDPDBRespository>(provider => ActivatorUtilities.CreateInstance<HDPDBRespository>(provider, Configuration[hdpConfig.AppConfigConstants.Hdp_Videos_Db_ContainerName]));

        services.AddSingleton<IHDPAlgoDBRespository>(provider => ActivatorUtilities.CreateInstance<HDPAlgoDBRespository>(provider, Configuration[hdpConfig.AppConfigConstants.Hdp_AlgoResult_Db_ContainerName]));

        services.AddSingleton<IHDPVTAlgoDBRepository>(provider => ActivatorUtilities.CreateInstance<HDPVTAlgoDBRepository>(provider, Configuration[hdpConfig.AppConfigConstants.Hdp_VTAlgoResult_Db_ContainerName]));

        services.AddSingleton<IEventStreamDBRepository>(provider => ActivatorUtilities.CreateInstance<EventStreamDBRepository>(provider, Configuration[hdpConfig.AppConfigConstants.Event_Stream_Db_ContainerName]));

        services.AddSingleton<IRefractiveAlgoDbRepository>(provider => ActivatorUtilities.CreateInstance<RefractiveAlgoDbRepository>(provider, Configuration[hdpConfig.AppConfigConstants.Refractive_AlgoResult_ContainerName]));

        services.AddSingleton<IHDPVideoProcessClient, HdpVideoProcessClient>();

        services.AddSingleton<IWorker, Worker>();

        services.AddSingleton<ITableClientService, TableClientService>();

        services.AddSingleton<ITokenService, TokenService>();

        services.AddSingleton<IPrivateModeStateService, PrivateModeStateService>();

       

        services.AddSingleton<IRedisService, RedisService>();

        services.AddHttpClient();         

        services.AddSingleton<IEPdfToThumbnailService>(provider => ActivatorUtilities.CreateInstance<EPdfToThumbnailService>(provider, Configuration[hdpConfig.AppConfigConstants.PDF_THUMBNAIL_CONTAINER]));

        //crop service

        services.AddSingleton<ICropOctImageService>(provider => ActivatorUtilities.CreateInstance<CropOctImageService>(provider, Configuration[hdpConfig.AppConfigConstants.OCT_IMAGE_CROP_CONTAINER]));

        services.AddSingleton<IBlobStorageService, BlobStorageService>();

        services.AddSingleton<IMediaStorageService, DefaultCredntialStorageService>();

        //VTAlgo Service

        services.AddSingleton<IVtAlgoBlobStorageService>(provider => ActivatorUtilities.CreateInstance<VtAlgoBlobStorageService>(provider, Configuration[hdpConfig.AppConfigConstants.VTAlgoResult_Blob_ContainerName], Configuration[hdpConfig.AppConfigConstants.VTAlgoResult_Blob_StorageEndpointUrl]));

        services.AddSingleton<IVtAlgoBlobDeleteQueueConsumer>(provider => ActivatorUtilities.CreateInstance<VtAlgoBlobDeleteQueueConsumer>(provider, Configuration[hdpConfig.AppConfigConstants.ServicebusNamespace], Configuration[hdpConfig.AppConfigConstants.VtAlgoBlobDeleteQueue], Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]));

                   

        services.AddSingleton<IDeleteVideoPublisher>(provider => ActivatorUtilities.CreateInstance<DeleteVideoQueuePublisher>(provider, Configuration[hdpConfig.AppConfigConstants.ServicebusNamespace], Configuration[hdpConfig.AppConfigConstants.VIDEO_DELETE_QUEUE], Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]));

        services.AddSingleton<IReclassificationResultPublisher>(provider => ActivatorUtilities.CreateInstance<ReclassificationResultPublisher>(provider, Configuration[hdpConfig.AppConfigConstants.ServicebusNamespace], Configuration[AppConfigConstants.MediaDownloadUrlProcessQueue], Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]));

        //thumbnail services

        services.AddSingleton<IThumbnailImageService>(provider => ActivatorUtilities.CreateInstance<ThumbnailImageService>(provider, Configuration[hdpConfig.AppConfigConstants.HDP_THUMBNAIL_CONTAINER]));

        //audit logs

        services.AddSingleton<IAuditLogPublisher>(provider => ActivatorUtilities.CreateInstance<AuditLogPublisher>(provider, Configuration[hdpConfig.AppConfigConstants.ServicebusNamespace], Configuration[emory.app.service.config.AppConfigConstants.AUDITLOG_QUEUE], Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]));

        //Kpi metric Surgeoninfo publisher

        services.AddSingleton<IKPIMerticPublisher>(provider => ActivatorUtilities.CreateInstance<KPIMerticPublisher>(provider, Configuration[hdpConfig.AppConfigConstants.ServicebusNamespace], Configuration[hdpConfig.AppConfigConstants.kpi_metric_dbqueue], Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]));

        services.AddSingleton<IConnectionMultiplexer>(ConnectionMultiplexer.Connect(Configuration[emoryConfig.AppConfigConstants.EmoryRedisConnectionString]));

        services.AddScoped<IHDPVideoAdminService, HDPVideoAdminService>();

        services.AddSingleton<IHdpMediaPlayerService, HdpMediaPlayerService>();

        services.AddScoped<ICosmosAdminService, CosmosAdminService>();

        //recyclebin

        services.AddSingleton<IRecycleBinService, RecycleBinService>();

        services.AddSingleton<IUserFavDbQueuePublisher>(provider => ActivatorUtilities.CreateInstance<UserFavDbQueuePublisher>(provider, Configuration[hdpConfig.AppConfigConstants.ServicebusNamespace], Configuration[hdpConfig.AppConfigConstants.Fav_Db_Queue], Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]));

        services.AddSingleton<IRecycleBinDbRepository>(provider => ActivatorUtilities.CreateInstance<RecycleBinDbRepository>(provider, Configuration[hdpConfig.AppConfigConstants.RecycleBin_Db_ContainerName]));

        services.AddSingleton<IKPIMetricDbRepository>(provider => ActivatorUtilities.CreateInstance<KPIMetricDbRepository>(provider, Configuration[hdpConfig.AppConfigConstants.KPI_Metric_Db_ContainerName]));

        services.AddSingleton<IRecycleBinDbQueueConsumer>(provider => ActivatorUtilities.CreateInstance<RecycleBinDbQueueConsumer>(provider, Configuration[hdpConfig.AppConfigConstants.ServicebusNamespace], Configuration[hdpConfig.AppConfigConstants.RecycleBin_Db_Queue], Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]));

        services.AddSingleton<IRecycleBinDbQueuePublisher>(provider => ActivatorUtilities.CreateInstance<RecycleBinDbQueuePublisher>(provider, Configuration[hdpConfig.AppConfigConstants.ServicebusNamespace], Configuration[hdpConfig.AppConfigConstants.RecycleBin_Db_Queue], Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]));

        services.AddSingleton<ILogRetreiver>(provider => ActivatorUtilities.CreateInstance<LogRetriever>(provider, Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]));

        services.AddMvc();

        services.AddHealthChecks()

           .AddCosmosDb(Configuration[hdpConfig.AppConfigConstants.CosmosDbConnectionString]

           , tags: new[] {

            "DB",

            "all"

           }, failureStatus: HealthStatus.Unhealthy);

           

        services.AddCosmosDb(new CosmosClientModel

        {

            ConnectionString = "AccountEndpoint=" + Configuration[hdpConfig.AppConfigConstants.COSMOS_DATABASE_Account] + ";AccountKey=" + Configuration[hdpConfig.AppConfigConstants.COSMOS_DATABASE_Key],

            DbName = Configuration[hdpConfig.AppConfigConstants.COSMOS_DATABASE_Name],

            AccountName = Configuration[hdpConfig.AppConfigConstants.COSMOS_DATABASE_Account_Name],

            EndpointUrl = Configuration[hdpConfig.AppConfigConstants.COSMOS_DATABASE_Account],

            ResourceGroupName = Configuration[hdpConfig.AppConfigConstants.ResourceGroupName],

            DataBasePrimeryKey = Configuration[hdpConfig.AppConfigConstants.COSMOS_DATABASE_Key],

            SubscriptionId = Configuration[hdpConfig.AppConfigConstants.SubscriptionId],

            ManagedClientId = Configuration[hdpConfig.AppConfigConstants.ManagedIdentityClientId]

        },Configuration["DbContainers"]);

        

        // HSTS Security Headers 

        services.AddHsts(options =>

        {

            options.Preload = true;

            options.IncludeSubDomains = true;

            options.MaxAge = TimeSpan.FromDays(365);

        });

        //enable cors

        ConfigureCors(services);

        services.AddSwaggerGen(c =>

        {

            c.CustomSchemaIds(type=>type.ToString());

            c.SwaggerDoc("v1", new OpenApiInfo

            {

                Version = "v1",

                Title = "Emory HDP Service",

                Description = "These microservices describes the Emory HDP service intregation functionality."

            });

            c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme

            {

                In = ParameterLocation.Header,

                Description = "Please enter into field the word 'Bearer' following by space and JWT",

                Name = "Authorization"

            });

            c.AddSecurityRequirement(new OpenApiSecurityRequirement

            {

                    {

                new OpenApiSecurityScheme

                {

                    Reference=new OpenApiReference

                    {

                        Type=ReferenceType.SecurityScheme,

                        Id="Bearer"

                    }

                },

                new string[]{ }

                }});

            var xmlFiles = Directory.GetFiles(AppContext.BaseDirectory, "*.xml", SearchOption.TopDirectoryOnly).ToList();

            xmlFiles.ForEach(xmlFile => c.IncludeXmlComments(xmlFile, true));

        });

        services.AddHsts(options =>

        {

            options.Preload = true;

            options.IncludeSubDomains = true;

            options.MaxAge = TimeSpan.FromDays(365);

        });

    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.

    /// <summary>

    /// Configure

    /// </summary>

    /// <param name="app"></param>

    /// <param name="env"></param>

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

    {

        if (env.IsDevelopment())

        {

            app.UseDeveloperExceptionPage();

        }

        app.UseXfo(options => options.SameOrigin());

        app.UseXContentTypeOptions();

        app.UseXXssProtection(options => options.EnabledWithBlockMode());

        app.UseCsp(options => options

         .DefaultSources(s => s.Self())

         .ConnectSources(s => s.Self())

         .ImageSources(s => s.Self())

          .FrameAncestors(s => s.None())

         .StyleSources(s => s.Self()

          .UnsafeInline()

         )

       .ScriptSources(s => s.Self()

        .UnsafeInline()

        .UnsafeEval()

        )

         );

        app.UseAuthentication();

        app.UseHttpsRedirection();

        app.UseHsts();

        app.UseGlobalErrorHandler();

        app.UseRouting();

        app.UseAuthorization();

        app.UseCors(_AllowedSpecificOrigins);

        app.UseEndpoints(endpoints =>

        {

            endpoints.MapControllers();

            endpoints.MapCustomHealthChecks("HealthCheck");

        });

        app.UseSwagger(

        c =>

        {

            c.RouteTemplate = "emoryhdpservice/swagger/{documentName}/swagger.json";

        });

        app.UseSwaggerUI(c =>

        {

            c.SwaggerEndpoint("/emoryhdpservice/swagger/v1/swagger.json", "Emory HDP Service API");

            c.RoutePrefix = "emoryhdpservice/swagger";

        });

       

        app.Use(async (context, next) =>

        {             

                context.Response.Headers["Cache-Control"] = "no-cache, no-store, must-revalidate";

                context.Response.Headers["Pragma"] = "no-cache";

                context.Response.Headers["Expires"] = "0";

                await next.Invoke();

        });

    }

    private void ConfigureCors(IServiceCollection services)

    {

        services.AddCors(options =>

        {

            options.AddPolicy(name: _AllowedSpecificOrigins,

            builder =>

            {

                if (Configuration["CorsDomains"] != null && !string.IsNullOrEmpty(Configuration["CorsDomains"]))

                {

                    var allowedDomains = Configuration["CorsDomains"].Split(',');

                    builder.WithOrigins(allowedDomains).

                      AllowAnyHeader().

                      AllowAnyMethod().

                      AllowCredentials();

                }

            });

        });

    }

    private void ReadConfig()

    {

        AmsSettings ams = new AmsSettings(Configuration);

        Settings.Init(ams, null, null);

    }

}

}

Kumar, Vipin [ext] 20 Reputation points

2024-09-12T11:27:45.3066667+00:00

Hi @Michael Taylor, As per our suggestion, startup code always execute before the routing and we configured all the HSTS in statup.cs only and we are ensure it's always call before the routing only.
Michael Taylor 53,971 Reputation points

2024-09-12T21:24:00.6633333+00:00

What library are you using to add the UseCsp functionality? This isn't built into ASP.NET Core. A lot of MS examples use NWebSec and that looks like what you're using here.

Looking at your code I don't see anything wrong. Are the CSP, X-Content-Type-Options and other headers showing up in the response? That would indicate the CSP rules are being applied correctly.

There are some things to consider about HSTS though that may impact the behavior you're seeing. Firstly HSTS doesn't apply to local addresses so if the URL is localhost or 127.0.0.1 then the server won't send the HTTP header back in the response. A quick way to work around this locally is to add an entry to your hosts file that maps a custom domain (e.g. mydomain.org) to your local IP. Then change your app's launch settings to use that URL instead of localhost. Also note that HSTS only applies to HTTPS so you must connect to your server using HTTPS otherwise it has no effect.

The other thing that stands out is that you're passing preload as true. This will really mess up your HSTS settings. In order to set this to true you first must be on the preload list which is a managed list that most companies other than very large ones is going to be on. Secondly this effectively hard codes the data into the browser. The only way to update that is to wait for a browser update to provide the updated codes. So once it is set you are basically stuck. It isn't really something you should be setting, definitely not in non-prod code nor without a static domain and settings that will likely never change.
Kumar, Vipin [ext] 20 Reputation points

2024-09-16T06:39:41.8166667+00:00

Yes i am able to see all the CSP rule only Strict-Transport-Security is missed. One observation i found when i run the service local/dev environment, I m able to see the Strict-Transport-Security header, But when deploy the same code on stage environment and try to call the api , same missed in api call.

Local Env API Call

But when call stage env same api call :

Stage API Call -
Michael Taylor 53,971 Reputation points

2024-09-16T13:28:42.16+00:00

Did you remove the preload flag set to true? If that is set and the browser hasn't been updated in code to support your domain then it won't work.
Kumar, Vipin [ext] 20 Reputation points

2024-09-17T07:29:35.0733333+00:00

Yes, in latest change i removed that preload set to true. but still on stage env i am not able to see the that value in header
Michael Taylor 53,971 Reputation points

2024-09-17T13:59:12.93+00:00

In your code you posted earlier you actually called AddHsts twice. Did you remove the second call? You should only call it once.

Accepted answer

Michael Taylor 53,971 Reputation points

2024-08-14T17:52:46.2833333+00:00

HSTS doesn't really apply to APIs. HSTS is for browsers and only browsers enforce them when dealing with rendering. API calls can, in theory, include them but they have no effect, by design. Refer to the docs here where it discusses this in more detail.

APIs should require HTTPS only and HSTS becomes a mostly mute point after that. If you really, really want to include HSTS headers, even though they have no effect, then you should first confirm it is working locally. Then confirm that you have the calls in the right order. Many of the extension methods require that you call them at specific points in the creation pipeline otherwise they don't work. This is one of the troubling issues with the ASP.NET pipeline. The docs I mentioned earlier show where in the pipeline these calls need to happen.
Please sign in to rate this answer.
Kumar, Vipin [ext] 20 Reputation points

2024-08-16T03:36:12.34+00:00

Hi , thanks for ur reply, but i have seen multiple article where they mention in .Net Core you can configure the HSTS in same may i did and they shown the response header also with HSTS. But i unable to do that

Michael Taylor 53,971 Reputation points

2024-08-16T14:41:40.8933333+00:00

Yes you can enable HSTS for an API just like you can for a regular web app. ASP.NET Core is the same pipeline between MVC and APIs, it just depends on how you configure things. Following the steps in the link I gave shows how to set this up. If you follow that process then API calls will have HSTS headers as well, although they won't do anything.

BUT, as I mentioned, ordering is important. You cannot just throw those calls into your startup and expect them to work. The pipeline requires that things get added in a certain order. In general most everything has to be registered BEFORE you call AddRoute or similar extensions to set up the API routing. Here's what I would check:

Ensure your call to AddHsts occurs before routing is configured.

Ensure you are not conditionally calling AddHsts. The boilerplate code that is generated with templates, IIRC, disables HSTS for local development. Ensure it is being called in your environment.

Ensure that UseHsts is called as part of the post-build app startup code. Without that the registering of the services does nothing.

If you still cannot get it to work then create a brand new ASP.NET Core MVC project. Look at the app startup code and compare the logic around AddHsts and UseHsts with what you're doing. Ensure they are occurring in the same place in the pipeline.

If none of that works then post your startup code (including all the calls to register the builtin services, like AddAuthorization, but you can leave out your custom service registrations. Also include the post-build app startup code including all the builtin services, like UseAuthorization.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Strict Transport Security header missed in API response

0 additional answers

Your answer