1

Closed

HSTS should only be set on https

description

Looking at the code, it appears that you always set the Strict-Transport-Security value irrespective the protocol of the original request.

The draft spec says in 7.2

An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.

I think this is solvable in the OWIN module by looking at the protocol, but I'm not sure about the rest.
Closed Oct 7, 2014 at 7:44 PM by klings
Fixed in today's NWebsec release.

comments

klings wrote Jul 3, 2014 at 4:13 PM

You're absolutely right, thanks for reporting this. I'll have this fixed in an upcoming release.

klings wrote Oct 7, 2014 at 7:44 PM

I've included a new configuration option to get the correct behaviour, see the new "httpsOnly" attribute/configuration method. HTH.