What is the difference between app.UseHsts() and app.UseExceptionHandler()?

Question

On the Startup.cs file of an .NET Core app, by default it make use of

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseHsts();
        }

But in some cases I can find the use of

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseExceptionHandler();
        }

What is the difference?

score 47 · Accepted Answer · answered Jun 29 '18 at 02:09

47

Hsts is a security feature to force SSL. It has nothing to do with exceptions.

answered Jun 29 '18 at 02:09

Daniel A. White

187,200
47
362
445

3

How does it enforce SSL? I see no change at all. My app still launches in http. – Daniel Jackson Sep 27 '18 at 17:08
4

It is not guaranteed to limit traffic to HTTPS only, so I think _forcing SSL_ should not be mentioned, it depends on client support. also it needs at least 1 successful HTTPS. – Mehdi Dehghani Jan 20 '20 at 12:36
1

@DanielJackson: when returned as a header from a website, it indicates to the client that the server wants you to use HTTPS for all future requests. This does not force the client to use HTTPS, but in modern browsers (once they get this information) this should help prevent malicious MITM attacks which try to serve a HTTP version of this same site. – vgru Jan 31 '21 at 16:54

score 39 · Answer 2 · answered Mar 22 '19 at 14:21

39

It is an old question but if you still didn't figure out the answer then this might help.

UseHsts adds a header Strict-Transport-Security to the response. When the site was accessed using HTTPS then the browser notes it down and future request using HTTP will be redirected to HTTPS. So, accessing the site using HTTPS at least once is mandatory to make this work.

Also the expiration time set by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP won't be automatically redirected to HTTPS.

answered Mar 22 '19 at 14:21

Ramesh Kanjinghat

721
5
6

2

What will happen if I didn't use UseHsts? – Ashish Rathi Jun 06 '19 at 05:01
2

With UseHsts when a browsers makes http call the server responds with instructions to redirect the page to secure https URL. This way browsers can cahce this settings for given amount of time and browser will automatically converts http request to https. Check a similar question asked [here](https://stackoverflow.com/questions/34108241/non-authoritative-reason-header-field-http) – Ramesh Kanjinghat Jun 12 '19 at 14:10
At least this answer gives some insights, better than the accepted one. – harpal Feb 16 '23 at 16:59

score 10 · Answer 3 · answered Jan 20 '20 at 12:43

10

Here is additional info about UseHsts,

HSTS is a client side performance optimization to avoid an extra request to the server for more info read Ramesh's answer. but is has some limitations:

It is not guaranteed to limit traffic to HTTPS only.
It requires at least 1 successful HTTPS request.
It depends on client support, client may or may not support HSTS.

About UseExceptionHandler, you can use this middleware to catch unhandled exceptions globally.

answered Jan 20 '20 at 12:43

Mehdi Dehghani

10,970
6
59
64

1

You don't get any performance optimization or avoid an extra request by just using HSTS. You get that only if you also submit your site to one or more of the preload lists that are automatically included in the user's browser. Then even the first request with http will be automatically re-directed internally by the browser itself without going to the server. – John Pankowicz Nov 06 '20 at 14:33

score 6 · Answer 4 · answered Oct 26 '20 at 11:02

6

You should be aware that you won't notice this header when you run against localhost, because the HSTS middleware ignores requests to 127.0.0.1 and local host.

Also this header is also only sent over HTTPS

See the source code here:

answered Oct 26 '20 at 11:02

Tore Nestenius

16,431
5
30
40

The question is old, but I have been asking myself, why in the standard MVC Core template Hsts is only applied in production mode. If it is ignored on localhost, why this extra if: `if (app.Environment.IsDevelopment()) { app.UseMigrationsEndPoint(); }` – Tillito Mar 15 '23 at 11:34
2

Perhaps you want to be able to mix HTTP/HTTPS during development, and that the browser does not remember that it should use HTTPS only. But as I said, it is ignored over 127.0.0.1 and localhost. – Tore Nestenius Mar 15 '23 at 12:20
1

@Tillito you may run the application on IIS with a masked domain (just add the domain in the host file). In that case the BROWSER will not understand if it is localhost. It will be masked on a different layer. – Neophyte Apr 18 '23 at 08:43

What is the difference between app.UseHsts() and app.UseExceptionHandler()?

4 Answers4

Linked