HTTP Strict Transport Security (HSTS) is a web security policy mechanism by which the server informs the user agents (browsers) that it only accepts secure connections. In other words, they must use HTTPS to access their resources.
In the context of.NET Core, HSTS is implemented through the UseHsts
middleware. This middleware adds the Strict-Transport-Security
HTTP header to the HTTP responses. This header tells the browser to only access the app over HTTPS, not HTTP.
The need for HSTS arises from the fact that even if your application redirects all HTTP requests to HTTPS, a man-in-the-middle can still hijack the connection before the redirect. By using HSTS, the browser saves the HSTS setting and redirects itself to the HTTPS version without making an insecure call. This helps to enhance the security of your application by ensuring all communications are sent over a secure connection.
However, it’s important to note that HSTS should be used carefully. Once a browser receives the HSTS header from your site, it will refuse to connect to your site using HTTP until the max-age
specified in the header elapses. Therefore, you should be sure that your site will still be served over HTTPS for the duration specified in max-age
.