search

skoruba / IdentityServer4.Admin

The administration for the IdentityServer4 and Asp.Net Core Identity
MIT License
3.57k stars 1.15k forks source link

HSTS is improperly configured #483

Closed b0 closed 4 years ago

b0 commented 4 years ago

Hi @skoruba ,

there is a problem with HSTS implementation both in STS and Admin project https://github.com/skoruba/IdentityServer4.Admin/blob/7ec3b94cef55ffa5e6b677e2be8ab68287d21439/src/Skoruba.IdentityServer4.STS.Identity/Helpers/StartupHelpers.cs#L99

Both cases use HSTS regardless if code is running in development mode or not; while documentation clearly says:

UseHsts isn't recommended in development because the HSTS settings are highly cacheable by browsers. By default, UseHsts excludes the local loopback address.

Unfortunately there is one more issue. Documentation says:

UseHsts excludes the following loopback hosts: localhost : The IPv4 loopback address. 127.0.0.1 : The IPv4 loopback address. [::1] : The IPv6 loopback address.

But this UseHsts is from NWebsec.AspNetCore.Middleware and does not follow rules above!

Anyway, I propose we move app.UseHsts back to Startup.cs in else statement and use Microsoft provided implementation. https://github.com/skoruba/IdentityServer4.Admin/blob/be6fc55a61d890378dd21f9110c2850e963a487f/src/Skoruba.IdentityServer4.STS.Identity/Startup.cs#L55-L58

Any thoughts?

Thank you

skoruba commented 4 years ago

Hi @b0 - thanks for reporting this, I agree with you, it should not be used for dev.