search

aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.27k stars 600 forks source link

Add support for HTTP Strict Transport Security #31

Closed ghost closed 9 years ago

ghost commented 10 years ago

Continuing discussion from https://github.com/aspnet/Mvc/issues/744#issuecomment-49768062

I would like to propose adding an HTTP Strict Transport Security (HSTS) attribute into the core of ASP.NET. According to OWASP, HTTP Strict Transport Security (HSTS) protects users from a number of threats, in particular man-in-the-middle attacks by not only forcing encrypted sessions, but also stopping attackers who use invalid digital certificates.

Although developers can write middleware themselves, I believe a fully test implementation would be a benefit and prevent inconsistencies within developer code (for example, developers may overlook the ability to add the sub domains suffix).

Following the advice of the previously mentioned thread, I have created a NuGet package with a test implementation here, with the project site be located here.

If you think that this feature would add value, I will happily submit the code via a PR.

cc/ @yishaigalatzer

Tratcher commented 10 years ago

Side note: Your implementation won't work in many scenarios. https://github.com/sblackler/Owin.Hsts/blob/master/Owin.Hsts/HstsMiddleware.cs#L27

The response headers can be sent during the call to Next, so changes done after Next may fail. You should move all that logic to the OnSendingHeaders event. See http://owin.org/spec/CommonKeys.html

ghost commented 10 years ago

Ah, I didn't realise that was there. I'll fix that this evening when I get a chance.

ghost commented 10 years ago

Updated to use OnSendingHeaders (commit: https://github.com/sblackler/Owin.Hsts/commit/f69e78df94ccfabc1fd8000717717cf42d9201b7)

Eilon commented 9 years ago

@blowdart

blowdart commented 9 years ago

Given multiple implementations, including nwebsec from @klings I don't feel providing a more limited middleware is that useful.

ghost commented 9 years ago

@blowdart thanks for the info about nwebsec. Didn't realise that existed (don't know if it did a year a go when I started this). I think it would be good to raise awareness for stuff like this, maybe through a blog post or something? :)

blowdart commented 9 years ago

That would be a good idea. I'll find someone that blogs and poke them with a stick.

StefanOssendorf commented 9 years ago

Or https://github.com/StefanOssendorf/SecurityHeadersMiddleware/ ;-)