search

csharpfritz / CoreWiki

A simple ASP.NET Core wiki that we are working on during live coding streams
MIT License
416 stars 157 forks source link

Change HSTS headers #293

Closed blowdart closed 6 years ago

blowdart commented 6 years ago

You should only configure HSTS in !development app.UseHsts(options => options.MaxAge(days: 365).IncludeSubdomains()); needs wrapping with an environment check, and when a system uses HSTS for the first time the recommendation is to start with a small value, start with 5 minutes, see https://hstspreload.org/#deployment-recommendations

csharpfritz commented 6 years ago

Now wrapping the UseHsts setting with !IsDevelopment()