HTTP Strict Transport Security Protocol (HSTS)

Recently, I came across an interesting problem. Whenever we browse the website over HTTP, I see browser forces all the communication over HTTPS. Website has developed in ASP.NET Core API template.



Collected following data to understand this behavior:



1. Fiddler trace:



I could see that the browser directly makes the request over https and digging further into Fiddler traces for the reason why, could see the header "Strict-Transport-Security" in the response from the server for a previous https request.



Sample fiddler trace:

[FONT=courier new,courier]GET https://test.abc.com/Module.API/api/ HTTP/1.1[/FONT]
[FONT=courier new,courier]Host: test.abc.com[/FONT]
[FONT=courier new,courier]Connection: keep-alive[/FONT]
[FONT=courier new,courier]Authorization: Negotiate YIIKEQYGKwYBBQUCoIIKBTCCCklgnsdlfu34895u3405ergfdfgm8934hefCAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCcsEggnHYIIJwwYJKoZIhvcSAQICAQBuggmyMIIJrqADAgEFoQMCAQ6iBwMFACAAAACjggfnYYIH4zCCB9+gAwIBBaEKGwhDR1NILkNPTaIpMCegAwIBAqEgMB4bBEhUVFAbFmFtMmNnYXBwc3RnMDQuY2dzaC5jb22jggefMIIHm6ADAgESoQMCAQmiggeNBIIHiXhgXMVJU1v28PSZcfjc2tOelvsuSUzmorwlFqfgYZiRZd8a7ExivC+XZiCCCvYb/NLMFAEaZfxqsj7FGhTKSSrZ0+sRb6rNH/vbVC7rqyyOhE5bjsdafhbvsdkfbsdkfsnfnsdlfnHH/eZcTh4RmNYAGfJo39JJIHC4Xuy7yagKTaTBM5duo6/QjZtuqUygiit81c24550qUlFHaoYi44eboSXXaO68veqxuUf2PItUtfIt5RsZW5uXgFz0CRWvqGsVapzYa/pjYWqFhBIRxEuyrdfghul8/lemzQkEmD3lxCOCdUbq0dflmsdkfjbYMgXwFPWaUb2v9dmNyIsmc5+nyOudLnxBWuZVr75y6VVatu5cHL57d7v2NTMamNMg+h2PxnU8gNFdi48t3huvCOeyAOqicHyv1c8l5as+p8W+mvAOwvA9QsCVJNb3uFGqf5yt5H370MW7WDgmfltagykz1CKr+x3nFxG2ahpiFKpSRA1KTB7oJgsLxXoMiDXUPYJK/tu7IjkUSBaCakAwCz5hHrIaNaBd9Xcec3qKTVDYklyQk5qWo+A2pt1JXxPt5LP/M3UxF1iKkfnjsdklfjnhsdqMffV5niDllft5hwNpxHtPOZ4c3j1+sfu+YY1/fsd5qI4bpBOxC3YK5hcJldQ34WaYRIAqLSWOO8emtinMjHj51neLLEp4FxZSXT8k33fY0492al2VvqGQCSgfk8tVce1h4rRejKGxgghjFa6PUvVhY19iSU2vnLomWoO6fUheOvf5HfZ0w4B3chBLYkAh/ll3dxfu+Gm7dLAUAuzqZIt4n9UYJOyIlLvcRnIw0MSCYVcHV646kniXRaixw2aUFhXIPjk8K1IUC78SGZAfz9th8MRwPwZqBg2uxbJqweGTC1V+vM4f/i1X0WIvxM/QzmGkEyt26vGfacrdjIGDt5EfuvU8t/F/BYXh0XPkjp7jlIKI4sRpNnnH4giPRlhnswL2MArlvBL03q /NEbJ77YaTcof15QibrvSasdsvhadjsad7m6iTkWdGchv3KoaGHrgrCqTZWl64ik4M7iO9aug4LL21HDQMkHAlOyG36Gjr/Vz2lS0hfica2IvxE80tzxoThv2nz5DXcWZMLevgy8VNAhJS48v5ush+GUXTpEDoOYUAvcNfbqwY0Y5xrjxsCNUuVcRdCmO4jFYTgpVgyts/2wBYp1xw42gbx1Cq5KN+p0ViEf+PSQXg==[/FONT]
[FONT=courier new,courier]Accept: application/json, text/plain, */*[/FONT]
[FONT=courier new,courier]Origin: http://test.abc.com[/FONT]
[FONT=courier new,courier]User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36[/FONT]
[FONT=courier new,courier]Sec-Fetch-Mode: cors[/FONT]
[FONT=courier new,courier]Sec-Fetch-Site: same-site[/FONT]
[FONT=courier new,courier]Referer: http://test.abc.com/Module/[/FONT]
[FONT=courier new,courier]Accept-Encoding: gzip, deflate, br[/FONT]
[FONT=courier new,courier]Accept-Language: en-US,en;q=0.9[/FONT]

[FONT=courier new,courier]HTTP/1.1 200 OK[/FONT]
[FONT=courier new,courier]Content-Type: application/json; charset=utf-8[/FONT]
[FONT=courier new,courier]Vary: Origin[/FONT]
[FONT=courier new,courier]Server: Kestrel[/FONT]
[FONT=courier new,courier]Access-Control-Allow-Credentials: true[/FONT]
[FONT=courier new,courier]Access-Control-Allow-Origin: http://test.abc.com[/FONT]
[FONT=courier new,courier]Strict-Transport-Security: max-age=2592000[/FONT]
[FONT=courier new,courier]Persistent-Auth: true[/FONT]
[FONT=courier new,courier]X-Powered-By: ASP.NET[/FONT]
[FONT=courier new,courier]WWW-Authenticate: Negotiate oYG2MIGzoAMsdhkfbsdkjfsdnfjknsdfsdfsdfsdfsdfsdfsdfsadfsdfYIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCasnmfbaskjdbhkdjsnadkj4sd5CbptpCO0v4tvWvQKMco745S1TnexO8DAyiFisfkjsdhfkjsdfhjksdfhkjsdfhYsTanvczTYCXEQ3vCzghafdghasdflb4/SDsdasdsasdNBb1E=[/FONT]
[FONT=courier new,courier]Date: Wed, 16 Oct 2019 15:11:18 GMT[/FONT]
[FONT=courier new,courier]Content-Length: 175[/FONT]



2. FREB trace:



Collected FREB traces to see who is setting the header.



Sample FREB trace:

[FONT=courier new,courier]67. NOTIFY_MODULE_START ModuleName="AspNetCoreModule", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotification="false" 15:11:16.463
68. GENERAL_SET_REQUEST_HEADER HeaderName="MS-ASPNETCORE-TOKEN", HeaderValue="48e345b8-404c-4891-934b-5f6b58489014", Replace="true" 15:11:17.260
69. GENERAL_SET_REQUEST_HEADER HeaderName="MS-ASPNETCORE-WINAUTHTOKEN", HeaderValue="63c", Replace="true" 15:11:17.260
70. GENERAL_SET_REQUEST_HEADER HeaderName="X-Forwarded-For", HeaderValue="10.0.0.1:50010", Replace="true" 15:11:17.260
71. GENERAL_SET_REQUEST_HEADER HeaderName="X-Forwarded-Proto", HeaderValue="https", Replace="true" 15:11:17.260
72. GENERAL_SET_REQUEST_HEADER HeaderName="MS-ASPNETCORE-CLIENTCERT", HeaderValue="", Replace="true" 15:11:17.260
73. GENERAL_SET_REQUEST_HEADER HeaderName="Connection", HeaderValue="", Replace="true" 15:11:17.260
74. GENERAL_SET_RESPONSE_HEADER HeaderName="Content-Type", HeaderValue="application/json; charset=utf-8", Replace="true" 15:11:18.744
75. GENERAL_SET_RESPONSE_HEADER HeaderName="Server", HeaderValue="Kestrel", Replace="true" 15:11:18.744
76. GENERAL_SET_RESPONSE_HEADER HeaderName="Vary", HeaderValue="Origin", Replace="true" 15:11:18.744
77. GENERAL_SET_RESPONSE_HEADER HeaderName="Access-Control-Allow-Credentials", HeaderValue="true", Replace="false" 15:11:18.744
78. GENERAL_SET_RESPONSE_HEADER HeaderName="Access-Control-Allow-Origin", HeaderValue="http://test.abc.com", Replace="false" 15:11:18.744
79. GENERAL_SET_RESPONSE_HEADER HeaderName="Strict-Transport-Security", HeaderValue="max-age=2592000", Replace="false" 15:11:18.744
80. NOTIFY_MODULE_COMPLETION ModuleName="AspNetCoreModule", Notification="EXECUTE_REQUEST_HANDLER", fIsPostNotificationEvent="false", CompletionBytes="0", ErrorCode="The operation completed successfully.
(0x0)" 15:11:18.744
[/FONT]



OBSERVATION & CAUSE:



- We can enable HSTS in IIS, configuration files and application code logic. But in this scenario, we didn’t see any HSTS configuration either in IIS or in configuration files.



- We came to know that UseHsts function was configured in the application code.



- Looks like HSTS is getting enforced in the application code.



RECOMMENDATION:



If HSTS is not enabled in IIS or configuration files, then try to revisit the application code and check whether you are using following function in Configure method:



app.UseHttpsRedirection();

app.UseHsts();

Continue reading...
 
Top Bottom