未设置HSTS [英] HSTS not being set

问题描述

我正在尝试使用Asp.Net Core 3设置Http Strict-Transport-Security标头.无论发布到Heroku的人是谁(使用

I am trying to set an Http Strict-Transport-Security header using Asp.Net Core 3. I got it to work perfectly fine in a development environment, whoever when publishing to Heroku (using https://elements.heroku.com/buildpacks/jincod/dotnetcore-buildpack) the header never shows up (on any page, over http and https).

            if (env.IsDevelopment()) {
                app.UseDeveloperExceptionPage();
                app.UseDatabaseErrorPage();
                app.UseBrowserLink();
                app.UseHsts(hsts => hsts.IncludeSubdomains().MaxAge(hours: 1));
            } else {
                app.UseExceptionHandler("/About/Error");
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts(hsts => hsts.IncludeSubdomains().MaxAge(days: 366));
            }

任何帮助将不胜感激！

我尝试使用Configure中的内置UseHSTS方法，并将AddHSTS添加到ConfigureServices.比我尝试使用具有相同选项的NWebsec软件包的UseHSTS(在Configure中)没有成功.

I tried using the built in UseHSTS method in Configure and adding AddHSTS to ConfigureServices. Than I tried using the NWebsec package's UseHSTS (in Configure) with the the same options with no success.

推荐答案

这里是https ConfigureServices:

ConfigureServices:

services.AddHttpsRedirection(options => { options.HttpsPort = 443; })
...
services.Configure<ForwardedHeadersOptions>(options =>
{
    options.ForwardedHeaders = ForwardedHeaders.XForwardedFor |
                                ForwardedHeaders.XForwardedProto;
    options.KnownNetworks.Clear();
    options.KnownProxies.Clear();
});

配置:

app.UseForwardedHeaders();
...
app.UseHttpsRedirection();

更多信息 https://devcenter.heroku.com/articles/http-routing#routing 和 https://github.com/aspnet/Announcements/issues/301

这篇关于未设置HSTS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！