Enforce SSL and Use HSTS in .NET Core 2.0: .NET Core Security Part I

Note – You can find the source code of my sample application here (sample does not include HSTS changes).

In these series of posts, we will see how to secureyour .NET Core applications.

In this post, we will look at how to enforce SSL to your .NET Core applications along with adding HSTS to your .NET production site.

From .NET Core 2.1 onwards, HTTPS is enabled by default in every template.

What Is SSL?

• SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser during online communication.
• The use of SSL technology ensures that all data transmitted between the web server and browser remains encrypted.

To secure your .NET Core applications, you can now enforce the browser to use HTTPS.

What Is HTTPS?

• Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to.
• It means all communications between your browser and the website are encrypted.

Let's get started.

Prerequisite:

• Visual studio 2017 community edition, download here.
• .Net Core 2.0 SDK from here (I have written a post to install the SDK here).

Create the MVC Application Using .NET Core 2.0 Template in VS 2017

Once you have all these installed, open your Visual Studio 2017 -> Create New Project -> Select Core Web application:

Click on Ok and in next window, select Web Application (MVC) as shown below:

Visual Studio will create a well-structured application for you.

Enforcing SSL on Controllers

Enforcing SSL on Controllers is very easy. You just need to add the RequireHttps attribute to the controller:

[RequireHttps]
public class HomeController: Controller
{}

Enforcing SSL Globally

As you might have a lot of controllers, with Controller enforcing you can make changes many controllers. There is a different approach where you can enforce the SSL globally by making changes in Startup.cs class.

Add the below lines to the ConfigureService method:

public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();

services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new RequireHttpsAttribute());
});
}

The above code requires all requests to useHTTPS therefore HTTP requests are ignored.

Side Note: Enforcing SSL globally is a good practice and more secure than adding attributes on the controller level. Even if new controllers are added, you would have a headache to add the attributes above all new controllers.

Redirect HTTP to HTTPS

Applications typically need to listen to both HTTP and HTTPS but then it is required to redirect all HTTP traffic to HTTPS.

Add the below code in the Configure method in the Startup.cs class which will redirect all HTTP calls to HTTPS:

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
var options = new RewriteOptions()
.AddRedirectToHttps(StatusCodes.Status301MovedPermanently, 63423);
app.UseRewriter(options);
app.UseMvc();
}

That is it.

Run Your Application on IIS Express

Please note that if you run the above application on IISExpress then it will throw an error.

This error occurs because you have not yet configured your IIS Express settings to allow SSL. You need to enable SSL.

To do that, open the properties of the application and then open the Debug tab.

Under the Web Server setting, check the Enable SSL checkbox as shown below:

Note – You can find the source code of my sample application here (the sample does not include HSTS changes).

HTTP Strict Transport Security (HSTS)

Sometimes just redirecting HTTP to HTTPS is not enough, so you need something which can instruct the browsers to always access the site via HTTPS.

What Is HSTS?

• HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.
• It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
• Typically used only in non-dev scenarios.

For example, when you try to access Google with http://www.google.com, the browser will give us 307 status code and will redirect the HTTP request to HTTPS:

For this, we need to tell the application to send the below header to the browser the first time application hits the browser:

Strict-Transport-Security: max-age=31536000

Important Note – The .NET team has announced HSTS middleware with .NET Core 2.1 that supports options for max age, subdomains, and the HSTS preload list. Currently, there are not any straightforward instructions on how to use this with .NET Core 2.1 so we will use NWebSec for HSTS.

Update on 1st March 2018 – .Net Core 2.1 preview 1 is finally out and now the things are clear regarding the use of HSTS with .Net Core. More details  here.

Just need to add below lines for HSTS:

app.UseHsts();

We can add some code to the .NET Core application in order to use HSTS.

NWebsec lets you configure quite a few security headers.

Add NWebsec.AspNetCore.Middleware from the Nuget:

Once the Nuget package is installed, add below line of code under Configure method:

app.UseHsts(h=> h.MaxAge(days:365)

Then, You need to submit your domain details on this site HSTS Preload site

And after that add the preload as shown below:

app.UseHsts(h=> h.MaxAge(days:365).preload());

Important Note: Note that once you do this, the browser will refuse non-secure requests for your domain, so the only HTTPS version of your site will be called. But, somehow, if your site will not support HTTPS in the future then your site will not be accessed once you make the above configuration with HSTS. Use it carefully.

Hope this helps!