Adds Https Redirection and Hsts Middlewares #264
Conversation
jkotalik
force-pushed
the
jkotalik/httpsMiddleware
branch
from
6dbf757 to
d9f364d
Compare
|
Per offline feedback, |
samples/HttpsSample/Startup.cs
Outdated
| .UseKestrel( | ||
| options => | ||
| { | ||
| options.Listen(new IPEndPoint(IPAddress.Loopback, 443), listenOptions => |
samples/HttpsSample/Startup.cs
Outdated
|
|
||
| public void Configure(IApplicationBuilder app) | ||
| { | ||
| var httpsEnforcementOptions = new HttpsEnforcementOptions(); |
There was a problem hiding this comment.
Options should all be moved to ConfiguredServices as services.Configure<MyOptions>(options => ...);
There was a problem hiding this comment.
We should have a helper method for this.
services.AddHttpsPolicy(o => o. ...);| /// <returns></returns> | ||
| public async Task Invoke(HttpContext context) | ||
| { | ||
| context.Response.OnStarting(() => |
There was a problem hiding this comment.
Why not just do this before calling next? OnStarting is not required.
| /// Max-age is required; defaults to 0. | ||
| /// See: https://tools.ietf.org/html/rfc6797#section-6.1.1 | ||
| /// </remarks> | ||
| public int MaxAge { get; set; } |
There was a problem hiding this comment.
TimeSpan.
Also, 0 means to disable HSTS, so it can't be the default.
NOTE: A max-age value of zero (i.e., "max-age=0") signals the UA to
cease regarding the host as a Known HSTS Host, including the
includeSubDomains directive (if asserted for that HSTS Host).
There was a problem hiding this comment.
Though https://tools.ietf.org/html/rfc6797#section-11.2 suggests 0 as the default and making users set it so that it's not using an arbitrary value.
If we require users to set it then we should make it nullable and throw if it's not set. If not then we need to come up with a non-zero default. Talk to @blowdart.
There was a problem hiding this comment.
https://tools.ietf.org/html/rfc6797#section-11.2 defines an alternative to a fixed second count where you would define a fixed date and then Max-Age would reflect a count-down to that date. Not sure if that's in wide use or worth implementing. Do other providers offer this variation?
There was a problem hiding this comment.
I'm in favor of having it nullable and throw if it isn't set. The fixed second count is odd.
| { | ||
| context.Response.OnStarting(() => | ||
| { | ||
| if (context.Request.Scheme == "https") |
| /// Sets the preload parameter of the Strict-Transport-Security header. | ||
| /// </summary> | ||
| /// <remarks> | ||
| /// Preload is not part of the RFC specification, but is supported by web browsers |
There was a problem hiding this comment.
remove the Chrome reference, just say some web browsers.
There was a problem hiding this comment.
The RFC has it "IncludeSubDomains" but one could argue the property should be named IncludeSubdomains, I don't know.
There was a problem hiding this comment.
I'll stick with the RFC here. 😃
| public static class HttpsEnforcementExtensions | ||
| { | ||
| /// <summary> | ||
| /// Adds middleware for enforcing HTTPS for all HttpRequests. |
There was a problem hiding this comment.
Including redirecting from HTTP to HTTPS and adding the HSTS header.
| /// <summary> | ||
| /// The status code to be used for Url Redirection | ||
| /// </summary> | ||
| public int StatusCode { get; set; } = 301; // TODO throw ArgumentOutOfRangeException from UrlRewrite redirect rule? |
| /// <summary> | ||
| /// Whether to use HTTP Strict-Transport-Security (HSTS) on all HTTPS requests. | ||
| /// </summary> | ||
| public bool EnforceHsts { get; set; } |
There was a problem hiding this comment.
SendHsts? SetHsts? The HSTS enforcement happens on the client.
samples/HttpsSample/Startup.cs
Outdated
|
|
||
| public void Configure(IApplicationBuilder app) | ||
| { | ||
| var httpsEnforcementOptions = new HttpsEnforcementOptions(); |
There was a problem hiding this comment.
We should have a helper method for this.
services.AddHttpsPolicy(o => o. ...);| throw new ArgumentNullException(nameof(app)); | ||
| } | ||
|
|
||
| return app.UseHsts(new HstsOptions()); |
There was a problem hiding this comment.
HstsOptions here should come from DI.
| namespace Microsoft.AspNetCore.HttpsEnforcement | ||
| { | ||
| /// <summary> | ||
| /// Enables Http Strict Transport Security (HSTS) |
| { | ||
| throw new ArgumentNullException(nameof(app)); | ||
| } | ||
| var httpsEnforcementOptions = new HttpsEnforcementOptions(); |
|
My standing suggestion is a top level config key / environment variable HttpsPort that would be set by VS when launching the process. VS is also the one setting URLs at startup. |
| } | ||
| var httpsEnforcementOptions = new HttpsPolicyOptions(); | ||
|
|
||
| return app.UseHttpsPolicy(httpsEnforcementOptions); |
| /// <summary> | ||
| /// The status code to be used for Url Redirection | ||
| /// </summary> | ||
| public int StatusCode { get; set; } = StatusCodes.Status301MovedPermanently; // TODO throw ArgumentOutOfRangeException from UrlRewrite redirect rule? |
There was a problem hiding this comment.
It's ok as it is. I don't think we need to over protect against a non redirect status code. I would change the property name and the doc comment to reflect that is a redirect status code. Property would be RedirectStatusCode. What do you think?
| /// <summary> | ||
| /// Options for using HSTS | ||
| /// </summary> | ||
| public HstsOptions HstsOptions { get; set; } // TODO should this be initialized at all? We could remove the bool if so. |
There was a problem hiding this comment.
I'm happy with this being initialized by default (to whatever defaults we choose) and for it being null to have the meaning of SetHsts = false. That way there can't be invalid combinations (like the user initializes the setting and forgets to set the flag or viceversa). I also think we follow this pattern in other places. @Tratcher do you have anything against my proposal?
| @@ -65,5 +46,9 @@ public static IApplicationBuilder UseHttpsPolicy(this IApplicationBuilder app, H | |||
|
|
|||
| return app; | |||
| } | |||
|
|
|||
| public static IApplicationBuilder UseHttpsPolicy(this IApplicationBuilder app, bool enableHsts) | |||
| { | |||
There was a problem hiding this comment.
Why empty? Do we need a comment explaining it?
There was a problem hiding this comment.
Sorry redesign for this. I need to do a bit of work still!
There was a problem hiding this comment.
Oh, OK, sorry didn't notice the [WIP] in the title.
| using Microsoft.AspNetCore.Builder; | ||
| using Microsoft.Extensions.Options; | ||
|
|
||
| namespace Microsoft.AspNetCore.HttpsPolicy |
| var includeSubdomains = hstsOptions.IncludeSubDomains ? IncludeSubDomains : StringSegment.Empty; | ||
| var preload = hstsOptions.Preload ? Preload : StringSegment.Empty; | ||
|
|
||
| _nameValueHeaderValue = new StringValues($"max-age={hstsOptions.MaxAge}{includeSubdomains}{preload}"); |
| { | ||
| context.Response.Headers[HeaderNames.StrictTransportSecurity] = _nameValueHeaderValue; | ||
| } | ||
| await _next(context); |
| /// Max-age is required; defaults to 0. | ||
| /// See: https://tools.ietf.org/html/rfc6797#section-6.1.1 | ||
| /// </remarks> | ||
| public int MaxAge { get; set; } // TODO set this to a different default in dev/not dev? |
There was a problem hiding this comment.
0 cannot be the default, that has a specific meaning in the spec. Ask the PMs for a specific value. 1 day? 1 week?
We may not need a separate value for dev as the templates won't have this enabled by default.
There was a problem hiding this comment.
@shirhatti as I know you were opinionated on having 0 as the default.
| public class HttpsPolicyOptions | ||
| { | ||
| /// <summary> | ||
| /// Whether to use HTTP Strict-Transport-Security (HSTS) on all HTTPS requests. |
| /// <summary> | ||
| /// The status code to be used for Url Redirection | ||
| /// </summary> | ||
| public int StatusCode { get; set; } = StatusCodes.Status301MovedPermanently; // TODO throw ArgumentOutOfRangeException from UrlRewrite redirect rule? |
| public int StatusCode { get; set; } = StatusCodes.Status301MovedPermanently; // TODO throw ArgumentOutOfRangeException from UrlRewrite redirect rule? | ||
|
|
||
| /// <summary> | ||
| /// The TLS port to be added to the redirected URL. |
There was a problem hiding this comment.
The default port (443) will be used if not provided.
| [InlineData(302, 5050, 0, true, true, "max-age=0; includeSubDomains; preload", "https://localhost:5050/")] | ||
| public async Task SetOptions_AddHstsMiddlewareAndEnableInPolicy(int statusCode, int? tlsPort, int maxAge, bool includeSubDomains, bool preload, string expectedHstsHeader, string expectedUrl) | ||
| { | ||
|
|
| .Configure(app => | ||
| { | ||
| app.UseHttpsPolicy(); | ||
| app.UseHsts(); |
There was a problem hiding this comment.
I thought UseHttpsPolicy would add Hsts if needed, why is this line here. Is that not the case?
There was a problem hiding this comment.
That is the case. This is just showing that you can still add Hsts again after calling UseHttps.
|
|
||
| var response = await client.SendAsync(request); | ||
|
|
||
| // By default, we will not redirect if we only use the Hsts Middleware. |
There was a problem hiding this comment.
This comment is confusing, I'm not sure what you are trying to convey here, but it seems out of context
|
|
||
| var response = await client.SendAsync(request); | ||
|
|
||
| // By default, we will not redirect if we only use the Hsts Middleware. |
There was a problem hiding this comment.
You copy pasted this comment below and doesn't make sense there. I don't think this adds a lot of value here, so I would just remove it.
|
We should consider making HttpsPolicy a shared options collection with RedirectToHttpsOptions and HstsOptions. To configure the HttpPolicy, if we require the max-age to be set, users will have to call services.Configure. |
| /// See: https://tools.ietf.org/html/rfc6797#section-6.1.1 | ||
| /// </remarks> | ||
| public int MaxAge { get; set; } | ||
| public int MaxAge { get; set; } = 2592000; |
There was a problem hiding this comment.
This should be a TimeSpan so people don't have to do the math themselves.
samples/HttpsPolicySample/Startup.cs
Outdated
| public void ConfigureServices(IServiceCollection services) | ||
| { | ||
| services.Configure<HttpsRedirectionOptions>(options => { | ||
| options.RedirectStatusCode = 301; |
There was a problem hiding this comment.
Use StatusCodes.Status301MovedPermanently
| /// <returns></returns> | ||
| public Task Invoke(HttpContext context) | ||
| { | ||
|
|
| { | ||
| context.Response.Headers[HeaderNames.StrictTransportSecurity] = _strictTransportSecurityValue; | ||
| } | ||
| return _next(context); |
There was a problem hiding this comment.
Should have a blank line before the return statement.
samples/HttpsPolicySample/Startup.cs
Outdated
| // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940 | ||
| public void ConfigureServices(IServiceCollection services) | ||
| { | ||
| services.Configure<HttpsRedirectionOptions>(options => { |
There was a problem hiding this comment.
Update the samples to use the helper methods
| var includeSubdomains = hstsOptions.IncludeSubDomains ? IncludeSubDomains : StringSegment.Empty; | ||
| var preload = hstsOptions.Preload ? Preload : StringSegment.Empty; | ||
|
|
||
| _strictTransportSecurityValue = new StringValues($"max-age={hstsOptions.MaxAge.TotalSeconds}{includeSubdomains}{preload}"); |
There was a problem hiding this comment.
There was a problem hiding this comment.
nvrm realized I realized that security has max age as nullable.
| /// </summary> | ||
| public class HttpsRedirectionOptions | ||
| { | ||
|
|
| <PackageTags>aspnetcore;https;hsts</PackageTags> | ||
| </PropertyGroup> | ||
| <ItemGroup> | ||
| <PackageReference Include="Microsoft.AspNetCore.Http.Extensions" /> |
There was a problem hiding this comment.
What is Http.Extensions needed for?
|
The current Options usage looks fine. |
jkotalik
changed the title
jkotalik
changed the title
| .UseUrls("https://*:5050") | ||
| .ConfigureServices(services => | ||
| { | ||
| services.Configure<HstsOptions>(options => { |
There was a problem hiding this comment.
Fix the usages on the tests to use the service collection extensions
There was a problem hiding this comment.
There are two sets of tests, one that uses Configure and AddHsts(). I can remove these tests if you would like 😄
| .UseUrls("https://*:5050", "http://*:5050") | ||
| .ConfigureServices(services => | ||
| { | ||
| services.Configure<HttpsRedirectionOptions>(options => |
| var builder = new WebHostBuilder() | ||
| .ConfigureServices(services => | ||
| { | ||
| services.Configure<HttpsRedirectionOptions>(options => |
Implementation of #258.
Final items:
cc @danroth27 @shirhatti @muratg