0

In case I use an apache proxy server for my ASP Net Core 2.2 app, what actually happens when I use app. UseHsTs();?

Olaf Kock
  • 46,930
  • 8
  • 59
  • 90
AED
  • 101
  • 2

1 Answers1

1

UseHsts adds a header Strict-Transport-Security to the response. When the site was accessed using HTTPS then the browser notes it down and future request using HTTP will be redirected to HTTPS. So, accessing the site using HTTPS at least once is mandatory to make this work.

Also the expiration time set by the Strict-Transport-Security header elapses, the next attempt to load the site via HTTP won't be automatically redirected to HTTPS.

Note UseHsts excludes the following loopback hosts:

  • localhost : The IPv4 loopback address.

  • 127.0.0.1 : The IPv4 loopback address.

  • [::1] : The IPv6 loopback address.

You could refer to the MS documentation on HTTP Strict Transport Security Protocol (HSTS) for more details.

Xueli Chen
  • 11,987
  • 3
  • 25
  • 36
  • 1
    Thanks Xueli, What happens if using loadbalancing, can I transfert the usage of HSTS from Kestrel to the laod balancer ? – AED Dec 18 '19 at 18:22