What's the point of adding UseHsts() in Start.cs












-3















According to the docs, adding UseHsts() in the config activates the middleware for STS related header.



I've never quite understand the point of it. Does it mean nothing more than simply adding a header to each request that the application does? What can go wrong if I don't use that header?



Also, I noticed that when I try to look it up for Core 2.2 (the link above), I get redirected to Core 2.1 with the remark that UseHsts() isn't present in the former version. Does it mean it's been obsolete or is using a default that hides the magic?






c# asp.net-core .net-core asp.net-core-2.2







share|improve this question




















  • 2





    The HSTS header prevents a browser from requesting anything from that site again in a non-secured way, what makes you think that is not useful? Also, the doc link doesn't say the info is obsolete, just that they haven't reviewed it for 2.2 - it's still very much relevant.

    – DavidG
    Jan 1 at 16:06






  • 1





    Thanks @DavidG .. You made me go over the stackoverflow policy on plagiarism ...

    – Soumen Mukherjee
    Jan 1 at 18:07











  • @SoumenMukherjee Are you implying that my post is a plagiarism? Not following...

    – Konrad Viltersten
    Jan 1 at 19:40













  • @DavidG Aha, I thought that was achieved by UseHttpsRedirection(). Thanks for correcting me and, also, thanks for the explanation about the link/obsolete confusion. You might want to post it as a reply so I can accept it as the right answer.

    – Konrad Viltersten
    Jan 1 at 19:46











  • @SoumenMukherjee I did not delete your answer, a moderator did. Also, really peculiar to use my full name as it's not mentioned here on Stack Overflow...

    – DavidG
    Jan 4 at 17:19


















-3















According to the docs, adding UseHsts() in the config activates the middleware for STS related header.



I've never quite understand the point of it. Does it mean nothing more than simply adding a header to each request that the application does? What can go wrong if I don't use that header?



Also, I noticed that when I try to look it up for Core 2.2 (the link above), I get redirected to Core 2.1 with the remark that UseHsts() isn't present in the former version. Does it mean it's been obsolete or is using a default that hides the magic?






c# asp.net-core .net-core asp.net-core-2.2







share|improve this question




















  • 2





    The HSTS header prevents a browser from requesting anything from that site again in a non-secured way, what makes you think that is not useful? Also, the doc link doesn't say the info is obsolete, just that they haven't reviewed it for 2.2 - it's still very much relevant.

    – DavidG
    Jan 1 at 16:06






  • 1





    Thanks @DavidG .. You made me go over the stackoverflow policy on plagiarism ...

    – Soumen Mukherjee
    Jan 1 at 18:07











  • @SoumenMukherjee Are you implying that my post is a plagiarism? Not following...

    – Konrad Viltersten
    Jan 1 at 19:40













  • @DavidG Aha, I thought that was achieved by UseHttpsRedirection(). Thanks for correcting me and, also, thanks for the explanation about the link/obsolete confusion. You might want to post it as a reply so I can accept it as the right answer.

    – Konrad Viltersten
    Jan 1 at 19:46











  • @SoumenMukherjee I did not delete your answer, a moderator did. Also, really peculiar to use my full name as it's not mentioned here on Stack Overflow...

    – DavidG
    Jan 4 at 17:19
















-3












-3








-3








According to the docs, adding UseHsts() in the config activates the middleware for STS related header.



I've never quite understand the point of it. Does it mean nothing more than simply adding a header to each request that the application does? What can go wrong if I don't use that header?



Also, I noticed that when I try to look it up for Core 2.2 (the link above), I get redirected to Core 2.1 with the remark that UseHsts() isn't present in the former version. Does it mean it's been obsolete or is using a default that hides the magic?






c# asp.net-core .net-core asp.net-core-2.2







share|improve this question
















According to the docs, adding UseHsts() in the config activates the middleware for STS related header.



I've never quite understand the point of it. Does it mean nothing more than simply adding a header to each request that the application does? What can go wrong if I don't use that header?



Also, I noticed that when I try to look it up for Core 2.2 (the link above), I get redirected to Core 2.1 with the remark that UseHsts() isn't present in the former version. Does it mean it's been obsolete or is using a default that hides the magic?






c# asp.net-core .net-core asp.net-core-2.2




c# asp.net-core .net-core asp.net-core-2.2






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 1 at 18:10









Stephen Kennedy

7,418135069




7,418135069










asked Jan 1 at 15:57









Konrad VilterstenKonrad Viltersten

12.6k32137257




12.6k32137257








  • 2





    The HSTS header prevents a browser from requesting anything from that site again in a non-secured way, what makes you think that is not useful? Also, the doc link doesn't say the info is obsolete, just that they haven't reviewed it for 2.2 - it's still very much relevant.

    – DavidG
    Jan 1 at 16:06






  • 1





    Thanks @DavidG .. You made me go over the stackoverflow policy on plagiarism ...

    – Soumen Mukherjee
    Jan 1 at 18:07











  • @SoumenMukherjee Are you implying that my post is a plagiarism? Not following...

    – Konrad Viltersten
    Jan 1 at 19:40













  • @DavidG Aha, I thought that was achieved by UseHttpsRedirection(). Thanks for correcting me and, also, thanks for the explanation about the link/obsolete confusion. You might want to post it as a reply so I can accept it as the right answer.

    – Konrad Viltersten
    Jan 1 at 19:46











  • @SoumenMukherjee I did not delete your answer, a moderator did. Also, really peculiar to use my full name as it's not mentioned here on Stack Overflow...

    – DavidG
    Jan 4 at 17:19
















  • 2





    The HSTS header prevents a browser from requesting anything from that site again in a non-secured way, what makes you think that is not useful? Also, the doc link doesn't say the info is obsolete, just that they haven't reviewed it for 2.2 - it's still very much relevant.

    – DavidG
    Jan 1 at 16:06






  • 1





    Thanks @DavidG .. You made me go over the stackoverflow policy on plagiarism ...

    – Soumen Mukherjee
    Jan 1 at 18:07











  • @SoumenMukherjee Are you implying that my post is a plagiarism? Not following...

    – Konrad Viltersten
    Jan 1 at 19:40













  • @DavidG Aha, I thought that was achieved by UseHttpsRedirection(). Thanks for correcting me and, also, thanks for the explanation about the link/obsolete confusion. You might want to post it as a reply so I can accept it as the right answer.

    – Konrad Viltersten
    Jan 1 at 19:46











  • @SoumenMukherjee I did not delete your answer, a moderator did. Also, really peculiar to use my full name as it's not mentioned here on Stack Overflow...

    – DavidG
    Jan 4 at 17:19










2




2





The HSTS header prevents a browser from requesting anything from that site again in a non-secured way, what makes you think that is not useful? Also, the doc link doesn't say the info is obsolete, just that they haven't reviewed it for 2.2 - it's still very much relevant.

– DavidG
Jan 1 at 16:06





The HSTS header prevents a browser from requesting anything from that site again in a non-secured way, what makes you think that is not useful? Also, the doc link doesn't say the info is obsolete, just that they haven't reviewed it for 2.2 - it's still very much relevant.

– DavidG
Jan 1 at 16:06




1




1





Thanks @DavidG .. You made me go over the stackoverflow policy on plagiarism ...

– Soumen Mukherjee
Jan 1 at 18:07





Thanks @DavidG .. You made me go over the stackoverflow policy on plagiarism ...

– Soumen Mukherjee
Jan 1 at 18:07













@SoumenMukherjee Are you implying that my post is a plagiarism? Not following...

– Konrad Viltersten
Jan 1 at 19:40







@SoumenMukherjee Are you implying that my post is a plagiarism? Not following...

– Konrad Viltersten
Jan 1 at 19:40















@DavidG Aha, I thought that was achieved by UseHttpsRedirection(). Thanks for correcting me and, also, thanks for the explanation about the link/obsolete confusion. You might want to post it as a reply so I can accept it as the right answer.

– Konrad Viltersten
Jan 1 at 19:46





@DavidG Aha, I thought that was achieved by UseHttpsRedirection(). Thanks for correcting me and, also, thanks for the explanation about the link/obsolete confusion. You might want to post it as a reply so I can accept it as the right answer.

– Konrad Viltersten
Jan 1 at 19:46













@SoumenMukherjee I did not delete your answer, a moderator did. Also, really peculiar to use my full name as it's not mentioned here on Stack Overflow...

– DavidG
Jan 4 at 17:19







@SoumenMukherjee I did not delete your answer, a moderator did. Also, really peculiar to use my full name as it's not mentioned here on Stack Overflow...

– DavidG
Jan 4 at 17:19














2 Answers
2






active

oldest

votes


















2















HTTP Strict Transport Security (HSTS) allows a site to request that it always be contacted over HTTPS. HSTS is supported in Google Chrome, Firefox, Safari, Opera, Edge and IE




Reference https://www.chromium.org/hsts




HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections,1 and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797







share|improve this answer































    1














    If you are using TLS you should enable this flag. Note: Be sure you don't enable it on localhost (if you aren't using TLS on localhost). You'll be unable to load the website. You'll need to invalidate the cache on your browser.






    share|improve this answer
























    • Thanks for the reply. Your answer doesn't actually addresses the issue being asked, though. The question isn't what it does (that's provided in the question by the linkage to the docs). I'm asking why I'd need it and what can go wrong if I don't. The reason for that is me thinking that UserHttpRedirection() was doing that job already. However, the point on not using it on localhost (which is usually done automagically by the template setting a conditional statement relying of development environment) is informative.

      – Konrad Viltersten
      Jan 1 at 19:50













    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53996863%2fwhats-the-point-of-adding-usehsts-in-start-cs%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2















    HTTP Strict Transport Security (HSTS) allows a site to request that it always be contacted over HTTPS. HSTS is supported in Google Chrome, Firefox, Safari, Opera, Edge and IE




    Reference https://www.chromium.org/hsts




    HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections,1 and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797







    share|improve this answer




























      2















      HTTP Strict Transport Security (HSTS) allows a site to request that it always be contacted over HTTPS. HSTS is supported in Google Chrome, Firefox, Safari, Opera, Edge and IE




      Reference https://www.chromium.org/hsts




      HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections,1 and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797







      share|improve this answer


























        2












        2








        2








        HTTP Strict Transport Security (HSTS) allows a site to request that it always be contacted over HTTPS. HSTS is supported in Google Chrome, Firefox, Safari, Opera, Edge and IE




        Reference https://www.chromium.org/hsts




        HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections,1 and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797







        share|improve this answer














        HTTP Strict Transport Security (HSTS) allows a site to request that it always be contacted over HTTPS. HSTS is supported in Google Chrome, Firefox, Safari, Opera, Edge and IE




        Reference https://www.chromium.org/hsts




        HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections,1 and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797








        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 1 at 18:13









        SimonareSimonare

        15.1k11840




        15.1k11840

























            1














            If you are using TLS you should enable this flag. Note: Be sure you don't enable it on localhost (if you aren't using TLS on localhost). You'll be unable to load the website. You'll need to invalidate the cache on your browser.






            share|improve this answer
























            • Thanks for the reply. Your answer doesn't actually addresses the issue being asked, though. The question isn't what it does (that's provided in the question by the linkage to the docs). I'm asking why I'd need it and what can go wrong if I don't. The reason for that is me thinking that UserHttpRedirection() was doing that job already. However, the point on not using it on localhost (which is usually done automagically by the template setting a conditional statement relying of development environment) is informative.

              – Konrad Viltersten
              Jan 1 at 19:50


















            1














            If you are using TLS you should enable this flag. Note: Be sure you don't enable it on localhost (if you aren't using TLS on localhost). You'll be unable to load the website. You'll need to invalidate the cache on your browser.






            share|improve this answer
























            • Thanks for the reply. Your answer doesn't actually addresses the issue being asked, though. The question isn't what it does (that's provided in the question by the linkage to the docs). I'm asking why I'd need it and what can go wrong if I don't. The reason for that is me thinking that UserHttpRedirection() was doing that job already. However, the point on not using it on localhost (which is usually done automagically by the template setting a conditional statement relying of development environment) is informative.

              – Konrad Viltersten
              Jan 1 at 19:50
















            1












            1








            1







            If you are using TLS you should enable this flag. Note: Be sure you don't enable it on localhost (if you aren't using TLS on localhost). You'll be unable to load the website. You'll need to invalidate the cache on your browser.






            share|improve this answer













            If you are using TLS you should enable this flag. Note: Be sure you don't enable it on localhost (if you aren't using TLS on localhost). You'll be unable to load the website. You'll need to invalidate the cache on your browser.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jan 1 at 19:45









            distruptdistrupt

            111




            111













            • Thanks for the reply. Your answer doesn't actually addresses the issue being asked, though. The question isn't what it does (that's provided in the question by the linkage to the docs). I'm asking why I'd need it and what can go wrong if I don't. The reason for that is me thinking that UserHttpRedirection() was doing that job already. However, the point on not using it on localhost (which is usually done automagically by the template setting a conditional statement relying of development environment) is informative.

              – Konrad Viltersten
              Jan 1 at 19:50





















            • Thanks for the reply. Your answer doesn't actually addresses the issue being asked, though. The question isn't what it does (that's provided in the question by the linkage to the docs). I'm asking why I'd need it and what can go wrong if I don't. The reason for that is me thinking that UserHttpRedirection() was doing that job already. However, the point on not using it on localhost (which is usually done automagically by the template setting a conditional statement relying of development environment) is informative.

              – Konrad Viltersten
              Jan 1 at 19:50



















            Thanks for the reply. Your answer doesn't actually addresses the issue being asked, though. The question isn't what it does (that's provided in the question by the linkage to the docs). I'm asking why I'd need it and what can go wrong if I don't. The reason for that is me thinking that UserHttpRedirection() was doing that job already. However, the point on not using it on localhost (which is usually done automagically by the template setting a conditional statement relying of development environment) is informative.

            – Konrad Viltersten
            Jan 1 at 19:50







            Thanks for the reply. Your answer doesn't actually addresses the issue being asked, though. The question isn't what it does (that's provided in the question by the linkage to the docs). I'm asking why I'd need it and what can go wrong if I don't. The reason for that is me thinking that UserHttpRedirection() was doing that job already. However, the point on not using it on localhost (which is usually done automagically by the template setting a conditional statement relying of development environment) is informative.

            – Konrad Viltersten
            Jan 1 at 19:50




















            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53996863%2fwhats-the-point-of-adding-usehsts-in-start-cs%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            MongoDB - Not Authorized To Execute Command

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I have successfully enabled authorization on MongoDB and I have created an account on the admin database and then I created an account for my database called test. The following connection string to connect to my test database works successfully: mongo --host 192.168.17.52 --port 27017 -u user1 -p password --authenticationDatabase test Only problem I have now is, I cannot execute commands such as: show dbs. I get the following error when I try to do so: "errmsg" : "not authorized on admin to execute command { listDatabases: 1.0, lsid: { id: UUID("a1d5bc0d-bc58-485e-b232-270758a89455") }, $db: "admin...
            Read more

            How to fix TextFormField cause rebuild widget in Flutter

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 0 I've got the same issue at #9280. I tried all solutions from that topic with/without GlobalKey for Scaffold and Form but the problem wasn't fixed. I tried to build a authentication form with login and signup. But the keyboard doesn't show when I tap the TextFormField at the first time. Then I try to input some letter from physical keyboard, the widget is rebuilt. Like this: login screen Nothing to be log when I run flutter run --verbose, so I logged manually. Every tapping on field, the widget called dispose -> init -> build. [√] Flutter (Channel beta, v1.0.0, on Microsoft Windows [Version 10.0.17763.195], ...
            Read more

            in spring boot 2.1 many test slices are not allowed anymore due to multiple @BootstrapWith

            Image
            1 I tried to upgrade a yummy sandwich made of two test slices (@JsonTest and @JdbcTest in my case, crunchy test code in between) adding spring boot 2.1 flavour to it. But it seems it was not much of a success. I cannot annotate my tests with many @...Test since they are now each bringing their own XxxTestContextBootstrapper. It used to work when they all used same SpringBootTestContextBootstrapper. @RunWith(SpringRunner.class) @JdbcTest @JsonTest public class Test { @Test public void test() { System.out.printn("Hello, World !"); } } The error I get from BootstrapUtils is illegalStateException : Configuration error: found multiple declarations of @BootstrapWith for test class I understand I might be doing something wrong here but is there an easy way I could load both Json and Jdbc contex...
            Read more