未设置HSTS [英] HSTS not being set
问题描述
我正在尝试使用Asp.Net Core 3设置Http Strict-Transport-Security标头.无论发布到Heroku的人是谁(使用
I am trying to set an Http Strict-Transport-Security header using Asp.Net Core 3. I got it to work perfectly fine in a development environment, whoever when publishing to Heroku (using https://elements.heroku.com/buildpacks/jincod/dotnetcore-buildpack) the header never shows up (on any page, over http and https).
if (env.IsDevelopment()) {
app.UseDeveloperExceptionPage();
app.UseDatabaseErrorPage();
app.UseBrowserLink();
app.UseHsts(hsts => hsts.IncludeSubdomains().MaxAge(hours: 1));
} else {
app.UseExceptionHandler("/About/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts(hsts => hsts.IncludeSubdomains().MaxAge(days: 366));
}
任何帮助将不胜感激!
我尝试使用Configure中的内置UseHSTS方法,并将AddHSTS添加到ConfigureServices.比我尝试使用具有相同选项的NWebsec软件包的UseHSTS(在Configure中)没有成功.
I tried using the built in UseHSTS method in Configure and adding AddHSTS to ConfigureServices. Than I tried using the NWebsec package's UseHSTS (in Configure) with the the same options with no success.
推荐答案
这里是https ConfigureServices:
ConfigureServices:
services.AddHttpsRedirection(options => { options.HttpsPort = 443; })
...
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor |
ForwardedHeaders.XForwardedProto;
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});
配置:
app.UseForwardedHeaders();
...
app.UseHttpsRedirection();
更多信息 https://devcenter.heroku.com/articles/http-routing#routing 和 https://github.com/aspnet/Announcements/issues/301
这篇关于未设置HSTS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!