Strict Transport Security ASP.NET Module

I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online services. For the majority of the cases, the browser is used to connect to the services and I don’t expect it to change much for the next few years.

One of the new proposal I’ve stumble upon is the Strict Transport Security proposal which is being sponsored by Paypal and currently supported by the Google Chrome browser. The spec is still under review and the latest version is available at https://lists.w3.org/Archives/Public/www-archive/2009Dec/att-0048/draft-hodges-strict-transport-sec-06.plain.html .

The proposal is quite simple and aims at forcing the browser to only connect over SSL by redirecting HTTP traffic to HTTPS at the browser level so that no connection is made over HTTP. This is implemented by adding a server component that provides the browser with a connection policy and by a browser component which enforce the policy provided by the server.

I’ve seen a lot of applications force connection over HTTPS by simply detecting the connection over HTTP and returning a 302 redirect to the client to the HTTPS site but this specification improves this logic by telling the browser to automatically replace the HTTP location on the client side so that no “unsafe” connections are made.

I believe that the Strict Transport Security proposal is a step in the right direction but I’m not sure about its acceptance. I also have some concerns about requiring the initially connection over HTTP and allowing the browser to connect back to HTTP once the policy expires. I believe that group policy might be a better approach there for certain high profile sites but only time will tell.

After reading the specification, I realize that implementing the server processing is quite simple under ASP.NET and decided to implement a quick STS HTTP Module for ASP.NET and make it available.

Installation

The STS module can be installed by adding it to the system.web.httpModules section of your web.config

<system.web>

<httpModules>

<add name="STSModule" type="STSModule.STSServerModule"/>

</httpModules>

</system.web>

Configuration

Enabling configuration section

The STS Server module can be configured in the web.config with the stsModule configuration section. To do so, the configuration section needs to be added to the configuration.configSections section of your web.config.

<configuration>

<configSections>

<sectionGroup name="stsModuleSection">

<section name="stsModule" type="STSModule.StrictTransportSecuritySection"/>

</sectionGroup>

</configSections>

</configuration>

Configuring the module

Configuration name

Description

Default value

maxAgeInSeconds

This section defines the max-age section of the Strict-Transport-Security header

86400

includeSubDomains

Define if the includeSubDomains section of the Strict-Transport-Security header is present.

If the value is true, the includeSubDomains will be added to the header.

false

redirectUrl

Defines the url specified in the redirection.

If the configuration is empty or not defined, the redirection url will be the same as the one questions but the scheme will be set to HTTPS.

Empty string

use302

Specify if the status code should be 302 instead of the 301 specified in the spec.

false

<stsModuleSection>

<stsModule maxAgeInSeconds="86400"

includeSubDomains="false"

use302="false"/>

</stsModuleSection>

STSServerModule.zip

Comments

  • Anonymous
    May 12, 2010
    Chrome is tackling the bootstrapping problem with a preloaded list that ships in the browser. http://www.chromium.org/sts The other long-term option is OOB bootstrapping via things like DNSSEC srv records, etc. Thanks for the hints on how to add this to ASP.NET apps.

  • Anonymous
    May 13, 2010
    I beleive that bootstrapping approach might be preferable. The same way we do for trusted cert authority. I would also like to see it as a configuration that can be pushed to users automatically. Something similar to group policy configuration in IE.

  • Anonymous
    February 05, 2011
    I've played a little with this and I run it currently (live experiment) on my blog(under IIS 7.0, .NET 3.5). If you want to run it in IIS 7.0 Integrated Mode, the module needs to be registered within system.webServer I presume. Thanks, Adrian

  • Anonymous
    July 25, 2012
    thanks for being  there