An action item from the security scan is to implement HSTS header in ASP.Net Core 6.0 WebAPI.
A WebAPI application is deployed on AKS using Application Gateway Ingress Controller. SSL termination occurs at the Application Gateway. Application Gateway Ingress Controllers and PODs communicate using HTTP.
In this case, is it necessary to implement HSTS? In that case, what infrastructure requirements are needed?
The HSTS header is a browser only instruction. It informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.
In this case, is it necessary to implement HSTS?
If your application hosted in AKS is a web application which will load in browser then, yes. However, as you mentioned, if it is only an API then it does not make much sense.
This is also documented on MSDN:
HSTS is generally a browser only instruction. Other callers, such as phone or desktop apps, do not obey the instruction. Even within browsers, a single authenticated call to an API over HTTP has risks on insecure networks. The secure approach is to configure API projects to only listen to and respond over HTTPS.
That said, assuming your application is a web application, to implement it with AGIC, you will have to first configure rewrite ruleset on the app gateway. This can be done from portal or with PowerShell:
# Create RuleSet
$responseHeaderConfiguration = New-AzApplicationGatewayRewriteRuleHeaderConfiguration -HeaderName "Strict-Transport-Security" -HeaderValue "max-age=31536000; includeSubDomains; preload"
$actionSet = New-AzApplicationGatewayRewriteRuleActionSet -ResponseHeaderConfiguration $responseHeaderConfiguration
$rewriteRule = New-AzApplicationGatewayRewriteRule -Name HSTSHeader -ActionSet $actionSet
$rewriteRuleSet = New-AzApplicationGatewayRewriteRuleSet -Name SecurityHeadersRuleSet -RewriteRule $rewriteRule
# apply the ruleset to your app gateway
$appgw = Get-AzApplicationGateway -Name "yourgw" -ResourceGroupName "yourgw-rg"
Add-AzApplicationGatewayRewriteRuleSet -ApplicationGateway $appgw -Name $rewriteRuleSet.Name -RewriteRule $rewriteRuleSet.RewriteRules
Set-AzApplicationGateway -ApplicationGateway $appgw
Next, to map the RuleSet to your ingress path, use the annotation on your ingress definition to reference the Ruleset:
appgw.ingress.kubernetes.io/rewrite-rule-set: SecurityHeadersRuleSet
