0

The UseHsts stopped appending the Strict-Transport-Security header after the migration from Service Fabric to K8S. How to fix it?

I am using the .NET 6. I tried debugging to see if the UseHsts gets called. Also, I double checked that doing exactly the same deployment to Service Fabric result in a running app which returns the header.

I spent a probably 5 hours now and was not able to come up with anything. I found this, but it seems to be about enabling the HSTS at the Azure level, while I would like to enable it using the tools at the application level.

manymanymore
  • 2,251
  • 3
  • 26
  • 48
  • What URL are you using to access the K8S implementation? Are you running locally? – theduck Apr 21 '23 at 12:41
  • @theduck, the app is deployed. – manymanymore Apr 21 '23 at 13:35
  • I have seen a situation before where the HSTS middleware doesn’t output the header if it thinks it is being accessed locally. You can see the excludedHosts in the source code. This can happen if you are running behind a reverse proxy. – theduck Apr 21 '23 at 15:47
  • Source is here https://github.com/dotnet/aspnetcore/blob/main/src/Middleware/HttpsPolicy/src/HstsMiddleware.cs . You can see in the invoke the two conditions where the header isn’t set - not secure and excluded host. Both are possible if something is proxying ahead of your app. – theduck Apr 21 '23 at 15:52
  • @theduck, tried and unfortunately clearing the excluded hosts did not help. But thank you. – manymanymore Apr 21 '23 at 16:39

0 Answers0