我的ASP.NET Web应用程序没有使用HTTP严格传输安全性（HSTS）机制。 [英] My ASP.NET web application did not make use of the HTTP strict transport security (HSTS) mechanism.

问题描述

Hi

My ASP.NET Web application did not make use of the HTTP Strict Transport Security (HSTS) mechanism.

This could potentially expose users to Man in the Middle (MitM) attacks.

When a web application uses HSTS, it specifies that users must connect using HTTPS and that communication should cease if there are any errors in the certificate chain.

In this way, users are prevented from clicking through certificate errors or accessing the application over a compromised channel.

How to implement HSTS

How Can I Prevent exposing users to Man in the Middle (MitM) attacks?

我尝试了什么：



试图通过设置'Strict'将HSTS添加到Web应用程序所有服务器响应中的-Transport-Security'标头。

What I have tried:

Tried to add HSTS to a web application by setting the 'Strict-Transport-Security' header in all server responses.

推荐答案

本文提供了有关如何实施所提到的安全策略的一些指导，该策略强制通过HTTPS发送所有通信。



如何启用HTTP严格传输安全（HSTS） IIS7 + - Scott Hanselman [ ^ ]



如果您对如何实施HTTP公钥锁定（HPKP）安全策略/控制感兴趣，请在此附加阅读。

不安全的传输 - 缺少公钥固定 [ ^ ]

This article provide some guidance on how to implement the mentioned security policy which enforces all the communications to send over HTTPS.

How to enable HTTP Strict Transport Security (HSTS) in IIS7+ - Scott Hanselman[^]

Here additional reading for you if you interested on how to implement HTTP Public Key Pinning (HPKP) security policy/control.
Insecure Transport – Missing Public Key Pinning[^]

这篇关于我的ASP.NET Web应用程序没有使用HTTP严格传输安全性（HSTS）机制。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！