Should UseHsts apply headers to static files added via UseStaticFiles

Question

We are running a .net 5 web app.

We use both UseStaticFiles and UseHsts in our app Configure() at startup.

I can access my static files.

All my API/dynamic web endpoints have the HSTS headers.

My static files do not have the HSTS headers.

We have some static HTML files used in a SPA app and the pen tests we run are triggering vulnerabilities on it when it scans.

How can i configure my static files to use HSTS headers.

// Simplified example
public void Configure(
    IApplicationBuilder app,
    IHostApplicationLifetime appLifetime
)
{
    app.UseStaticFiles();
    app.UseHsts();
    app.UseRouting();
    app.UseCors();
    app.UseAuthentication();

    app.UseEndpoints(endpoints => {
        endpoints.MapControllers();
        endpoints.MapHealthChecks("/healthcheck");
    });
}

---

Update based on @gjhommersom awnser

Configuring the app like this instead adds cors to the headers.

However the strict-transport-security header is still missing :(

// Simplified example
public void Configure(
    IApplicationBuilder app,
    IHostApplicationLifetime appLifetime
)
{
    app.UseHsts();
    app.UseRouting();
    app.UseCors();
    app.UseAuthentication();

    app.UseEndpoints(endpoints => {
        endpoints.MapControllers();
        endpoints.MapHealthChecks("/healthcheck");
    });
    app.UseStaticFiles();
}

Answer 1

As far as I'm aware the order of setting up your application is important. Have you tried calling UseHsts() before UseStaticFiles()?

Reason being that the static file middleware returns a file before the hsts middleware can do the redirect.

Similar issue: Why does order between UseStaticFiles and UseDefaultFiles matter?