Strict-Transport-Security MVC Attribute and Future of Project

Sep 12, 2014 at 10:19 AM
Hi,

Thanks for this project. Just wondering why Strict-Transport-Security is not supported via an attribute. Is it because MVC already contains the RequireHttpsAttribute and so Strict-Transport-Security is not strictly needed? If one were to be added, I assume you would have to use it everywhere you use RequireHttpsAttribute.

Thanks
Coordinator
Sep 13, 2014 at 11:44 AM
The Strict-Transport-Security header transmits a policy that applies to the entire host (domain name), and that's why you configure it globally for your application. It's really an all or nothing thing.

To protect your users I'd recommend registering the RequireHttpsAttribute as a global filter so it runs for every action in your application. In addition, add HSTS with a long maxage (at least a couple of months).

Note that these settings will affect everything running under the same domain name, e.g. if you have to applications running side by side:


When a user visits SecureMvcApp they'll be redirected to HTTPS, and get the HSTS policy. The browser will then force HTTPS to both these applications from that point on.