HTTP Strict Transport Security Protocol (HSTS)

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Recently, I came across an interesting problem. Whenever we browse the website over HTTP, I see browser forces all the communication over HTTPS. Website has developed in ASP.NET Core API template.

 

Collected following data to understand this behavior:

 

1. Fiddler trace:

 

I could see that the browser directly makes the request over https and digging further into Fiddler traces for the reason why, could see the header "Strict-Transport-Security" in the response from the server for a previous https request.

 

Sample fiddler trace:

GET https://test.abc.com/Module.API/api/ HTTP/1.1
Host: test.abc.com
Connection: keep-alive
Authorization: Negotiate YIIKEQYGKwYBBQUCoIIKBTCCCklgnsdlfu34895u3405ergfdfgm8934hefCAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCcsEggnHYIIJwwYJKoZIhvcSAQICAQBuggmyMIIJrqADAgEFoQMCAQ6iBwMFACAAAACjggfnYYIH4zCCB9+gAwIBBaEKGwhDR1NILkNPTaIpMCegAwIBAqEgMB4bBEhUVFAbFmFtMmNnYXBwc3RnMDQuY2dzaC5jb22jggefMIIHm6ADAgESoQMCAQmiggeNBIIHiXhgXMVJU1v28PSZcfjc2tOelvsuSUzmorwlFqfgYZiRZd8a7ExivC+XZiCCCvYb/NLMFAEaZfxqsj7FGhTKSSrZ0+sRb6rNH/vbVC7rqyyOhE5bjsdafhbvsdkfbsdkfsnfnsdlfnHH/eZcTh4RmNYAGfJo39JJIHC4Xuy7yagKTaTBM5duo6/QjZtuqUygiit81c24550qUlFHaoYi44eboSXXaO68veqxuUf2PItUtfIt5RsZW5uXgFz0CRWvqGsVapzYa/pjYWqFhBIRxEuyrdfghul8/lemzQkEmD3lxCOCdUbq0dflmsdkfjbYMgXwFPWaUb2v9dmNyIsmc5+nyOudLnxBWuZVr75y6VVatu5cHL57d7v2NTMamNMg+h2PxnU8gNFdi48t3huvCOeyAOqicHyv1c8l5as+p8W+mvAOwvA9QsCVJNb3uFGqf5yt5H370MW7WDgmfltagykz1CKr+x3nFxG2ahpiFKpSRA1KTB7oJgsLxXoMiDXUPYJK/tu7IjkUSBaCakAwCz5hHrIaNaBd9Xcec3qKTVDYklyQk5qWo+A2pt1JXxPt5LP/M3UxF1iKkfnjsdklfjnhsdqMffV5niDllft5hwNpxHtPOZ4c3j1+sfu+YY1/fsd5qI4bpBOxC3YK5hcJldQ34WaYRIAqLSWOO8emtinMjHj51neLLEp4FxZSXT8k33fY0492al2VvqGQCSgfk8tVce1h4rRejKGxgghjFa6PUvVhY19iSU2vnLomWoO6fUheOvf5HfZ0w4B3chBLYkAh/ll3dxfu+Gm7dLAUAuzqZIt4n9UYJOyIlLvcRnIw0MSCYVcHV646kniXRaixw2aUFhXIPjk8K1IUC78SGZAfz9th8MRwPwZqBg2uxbJqweGTC1V+vM4f/i1X0WIvxM/QzmGkEyt26vGfacrdjIGDt5EfuvU8t/F/BYXh0XPkjp7jlIKI4sRpNnnH4giPRlhnswL2MArlvBL03q /NEbJ77YaTcof15QibrvSasdsvhadjsad7m6iTkWdGchv3KoaGHrgrCqTZWl64ik4M7iO9aug4LL21HDQMkHAlOyG36Gjr/Vz2lS0hfica2IvxE80tzxoThv2nz5DXcWZMLevgy8VNAhJS48v5ush+GUXTpEDoOYUAvcNfbqwY0Y5xrjxsCNUuVcRdCmO4jFYTgpVgyts/2wBYp1xw42gbx1Cq5KN+p0ViEf+PSQXg==
Accept: application/json, text/plain, */*
Origin: http://test.abc.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Referer: http://test.abc.com/Module/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Vary: Origin
Server: Kestrel
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://test.abc.com
Strict-Transport-Security: max-age=2592000
Persistent-Auth: true
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYG2MIGzoAMsdhkfbsdkjfsdnfjknsdfsdfsdfsdfsdfsdfsdfsadfsdfYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCasnmfbaskjdbhkdjsnadkj4sd5CbptpCO0v4tvWvQKMco745S1TnexO8DAyiFisfkjsdhfkjsdfhjksdfhkjsdfhYsTanvczTYCXEQ3vCzghafdghasdflb4/SDsdasdsasdNBb1E=
Date: Wed, 16 Oct 2019 15:11:18 GMT
Content-Length: 175

 

2. FREB trace:

 

Collected FREB traces to see who is setting the header.

 

Sample FREB trace:

67. NOTIFY_MODULE_START ModuleName="AspNetCoreModule", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotification="false" 15:11:16.463
68. GENERAL_SET_REQUEST_HEADER HeaderName="MS-ASPNETCORE-TOKEN", HeaderValue="48e345b8-404c-4891-934b-5f6b58489014", Replace="true" 15:11:17.260
69. GENERAL_SET_REQUEST_HEADER HeaderName="MS-ASPNETCORE-WINAUTHTOKEN", HeaderValue="63c", Replace="true" 15:11:17.260
70. GENERAL_SET_REQUEST_HEADER HeaderName="X-Forwarded-For", HeaderValue="10.0.0.1:50010", Replace="true" 15:11:17.260
71. GENERAL_SET_REQUEST_HEADER HeaderName="X-Forwarded-Proto", HeaderValue="https", Replace="true" 15:11:17.260
72. GENERAL_SET_REQUEST_HEADER HeaderName="MS-ASPNETCORE-CLIENTCERT", HeaderValue="", Replace="true" 15:11:17.260
73. GENERAL_SET_REQUEST_HEADER HeaderName="Connection", HeaderValue="", Replace="true" 15:11:17.260
74. GENERAL_SET_RESPONSE_HEADER HeaderName="Content-Type", HeaderValue="application/json; charset=utf-8", Replace="true" 15:11:18.744
75. GENERAL_SET_RESPONSE_HEADER HeaderName="Server", HeaderValue="Kestrel", Replace="true" 15:11:18.744
76. GENERAL_SET_RESPONSE_HEADER HeaderName="Vary", HeaderValue="Origin", Replace="true" 15:11:18.744
77. GENERAL_SET_RESPONSE_HEADER HeaderName="Access-Control-Allow-Credentials", HeaderValue="true", Replace="false" 15:11:18.744
78. GENERAL_SET_RESPONSE_HEADER HeaderName="Access-Control-Allow-Origin", HeaderValue="http://test.abc.com", Replace="false" 15:11:18.744
79. GENERAL_SET_RESPONSE_HEADER HeaderName="Strict-Transport-Security", HeaderValue="max-age=2592000", Replace="false" 15:11:18.744
80. NOTIFY_MODULE_COMPLETION ModuleName="AspNetCoreModule", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotificationEvent="false", CompletionBytes="0", ErrorCode="The operation completed successfully.
(0x0)" 15:11:18.744

 

OBSERVATION & CAUSE:

 

- We can enable HSTS in IIS, configuration files and application code logic. But in this scenario, we didn’t see any HSTS configuration either in IIS or in configuration files.

 

- We came to know that UseHsts function was configured in the application code.

 

- Looks like HSTS is getting enforced in the application code.

 

RECOMMENDATION:

 

If HSTS is not enabled in IIS or configuration files, then try to revisit the application code and check whether you are using following function in Configure method:

 

app.UseHttpsRedirection();

app.UseHsts();

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.