0

I have a WCF service which is hosted in an exe using the ServiceHost class. I call it a "web service" because it's listening via https, so I can ping it from a web browser. (Sorry if not all my terms are precise.)

I would like to enable HSTS for this web service. I found that I can enable it by putting this into the Web.config:

<system.webServer>
<httpProtocol>
  <customHeaders>
    <add name="Strict-Transport-Security" value="max-age=31536000"/>
  </customHeaders>
</httpProtocol>

<rewrite>
  <rules>
    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
  </rules>

  <outboundRules>
    <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
      <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
      <conditions>
        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
      </conditions>
      <action type="Rewrite" value="max-age=31536000" />
    </rule>
  </outboundRules>
</rewrite>

</system.webServer>

But I don't have a Web.config, because the service is NOT hosted in IIS. I have tried to add this into the system.ServiceModel section but was ineffective. I'm not sure if the system.webServer section could be processed without IIS support or not. I'm also not sure if HSTS is a valid concept at all without IIS (or Apache).

All the articles I read so far, only described the IIS scenario.

https://www.hanselman.com/blog/how-to-enable-http-strict-transport-security-hsts-in-iis7

https://learn.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/hsts

https://www.forwardpmx.com/insights/blog/the-ultimate-guide-to-hsts-protocol/

So my question is: how can I enable the HSTS in this scenario?

Edit: my servicemodel config(edited to eclipse our product name)

<system.serviceModel>
<services>
  <service behaviorConfiguration="AServiceBehavior" name="something.RemoteAccess.WebAccess.A.Core.A">
    <endpoint address="" behaviorConfiguration="AEndpointBehaviour" binding="basicHttpBinding" bindingConfiguration="secureBasicHttpBinding" name="A" bindingNamespace="uri:something.RemoteAccess.WebAccess.A" contract="something.RemoteAccess.WebAccess.A.IService"/>
    <host>
      <baseAddresses>
        <add baseAddress="https://*:4510/somethingWebAccess/A"/>
      </baseAddresses>
    </host>
  </service>
</services>
<bindings>
  <basicHttpBinding>
    <binding name="secureBasicHttpBinding">
      <security mode="Transport">
        <transport clientCredentialType="None" proxyCredentialType="None" realm=""/>
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

<behaviors>
  <endpointBehaviors>
    <behavior name="AEndpointBehaviour">
      <dataContractSerializer maxItemsInObjectGraph="2147483647"/>
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior name="AServiceBehavior">
      <serviceMetadata httpsGetEnabled="True"/>
      <serviceDebug includeExceptionDetailInFaults="false"/>
    </behavior>
  </serviceBehaviors>
</behaviors>

</system.serviceModel>

Lipcsey József
  • 3
  • 3
  • What bindings are you using with WCF? Are you using SOAP's HTTP REST functionality, or are you using SOAP over HTTP? Can you post your `app.config` file that shows your `` configuration? Are you doing any configuration _in code_? – Dai Mar 05 '21 at 14:46
  • Basically, do you have access to a `WebOperationContext` in your WCF code? – Dai Mar 05 '21 at 14:47
  • Also, as you can probably tell by now, WCF is... needlessly complicated, with truly insane amounts of overloaded terminology (bindings, behaviors, endpoints, aieee!) and confusingly excessive configuration - I'm glad WCF is dead. Do you have a plan for migrating away from WCF to something more modern and leaner, like ASP.NET Core? – Dai Mar 05 '21 at 14:48
  • I don't have access to WebOperationContext. – Lipcsey József Mar 05 '21 at 15:52
  • Our product is so monstrous that I see no chance to migrate from WCF. :( – Lipcsey József Mar 05 '21 at 15:55

1 Answers1

0

I have tried to add this into the <system.ServiceModel> section but was ineffective. I'm not sure if the <system.webServer> section could be processed without IIS support or not. I'm also not sure if HSTS is a valid concept at all without IIS (or Apache).

Correct. The <system.webServer> element is specific to IIS 7 and later (including IIS Express).

The schema of app.config and web.config files is well-defined - it isn't magic: moving elements around won't cause functionality in on library to suddenly work in another, unrelated library.

(Though there is some commonality between <system.web> (ASP.NET) and <system.webServer> (IIS), that's just a coincidence - or because of the Managed Pipeline system, I can see why this would cause confusion0.

Your <rewrite> section will not work at all because that depends on both IIS and having the IIS URL Rewrite module installed (it's an optional component, not installed by default).

I'm also not sure if HSTS is a valid concept at all without IIS (or Apache).

HSTS applies to any HTTP service: it just means that the web-server (or web-application, it doesn't have to be a host/server concern) is sending the Strict-Transport-Security header.

You can still do this in WCF.

The simple approach: WebOperationContext:

See WCF adding additional HTTP header to HTTP response for transporting SOAP message

var context = WebOperationContext.Current;
if( context is null ) throw new InvalidOperationContext( "WebOperationContext not found. Are you running in the right thread?" );

context.OutgoingResponse.Headers.Add( "Strict-Transport-Security", "max-age=31536000" );

Downside: you'll need to add this code (or a call to a function that implements this code) to all of your WCF actions/endpoints/etc. The advantage here is that you don't need to worry about understanding WCF's "behavior" system.

Better approach: IClientMessageInspector:

See https://weblogs.asp.net/paolopia/writing-a-wcf-message-inspector

Kinda complicated for me to summarize here, sorry.

Best approach: custom behavior

It's been literally a full decade since I last wrote any WCF code and I've forgotten how to do custom behaviors. Sorry I can't be of more use :/

Dai
  • 141,631
  • 28
  • 261
  • 374