Strict Transport Security ASP.NET Module


I’ve been tackling the problem of users connecting to online services from untrusted network. At work we typically call this the “Startbucks” scenario where a user is connecting to a random wifi and accessing corporate data through online services. For the majority of the cases, the browser is used to connect to the services and I don’t expect it to change much for the next few years.


One of the new proposal I’ve stumble upon is the Strict Transport Security proposal which is being sponsored by Paypal and currently supported by the Google Chrome browser. The spec is still under review and the latest version is available at http://lists.w3.org/Archives/Public/www-archive/2009Dec/att-0048/draft-hodges-strict-transport-sec-06.plain.html .


The proposal is quite simple and aims at forcing the browser to only connect over SSL by redirecting HTTP traffic to HTTPS at the browser level so that no connection is made over HTTP. This is implemented by adding a server component that provides the browser with a connection policy and by a browser component which enforce the policy provided by the server.


I’ve seen a lot of applications force connection over HTTPS by simply detecting the connection over HTTP and returning a 302 redirect to the client to the HTTPS site but this specification improves this logic by telling the browser to automatically replace the HTTP location on the client side so that no “unsafe” connections are made.


I believe that the Strict Transport Security proposal is a step in the right direction but I’m not sure about its acceptance. I also have some concerns about requiring the initially connection over HTTP and allowing the browser to connect back to HTTP once the policy expires. I believe that group policy might be a better approach there for certain high profile sites but only time will tell.


After reading the specification, I realize that implementing the server processing is quite simple under ASP.NET and decided to implement a quick STS HTTP Module for ASP.NET and make it available.


Installation


The STS module can be installed by adding it to the system.web.httpModules section of your web.config


<system.web>


  <httpModules>


    <add name=STSModule type=STSModule.STSServerModule/>


  </httpModules>


</system.web>


 


Configuration


Enabling configuration section


The STS Server module can be configured in the web.config with the stsModule configuration section. To do so, the configuration section needs to be added to the configuration.configSections section of your web.config.


<configuration>


  <configSections>


    <sectionGroup name=stsModuleSection>


      <section name=stsModule type=STSModule.StrictTransportSecuritySection/>


    </sectionGroup>


  </configSections>


</configuration>


Configuring the module


 

























Configuration name


Description


Default value


maxAgeInSeconds


This section defines the max-age section of the Strict-Transport-Security header


86400


includeSubDomains


Define if the includeSubDomains section of the Strict-Transport-Security header is present.


 


If the value is true, the includeSubDomains will be added to the header.


false


redirectUrl


Defines the url specified in the redirection.


 


If the configuration is empty or not defined, the redirection url will be the same as the one questions but the scheme will be set to HTTPS.


Empty string


use302


Specify if the status code should be 302 instead of the 301 specified in the spec.


false


 


<stsModuleSection>


                <stsModule maxAgeInSeconds=86400


             includeSubDomains=false


             use302=false/>


</stsModuleSection>


  

STSServerModule.zip

Comments (4)

  1. asteingruebl says:

    Chrome is tackling the bootstrapping problem with a preloaded list that ships in the browser.

    http://www.chromium.org/sts

    The other long-term option is OOB bootstrapping via things like DNSSEC srv records, etc.

    Thanks for the hints on how to add this to ASP.NET apps.

  2. TheFaust says:

    I beleive that bootstrapping approach might be preferable. The same way we do for trusted cert authority. I would also like to see it as a configuration that can be pushed to users automatically. Something similar to group policy configuration in IE.

  3. adrian says:

    I've played a little with this and I run it currently (live experiment) on my blog(under IIS 7.0, .NET 3.5).

    If you want to run it in IIS 7.0 Integrated Mode, the module needs to be registered within system.webServer I presume.

    Thanks,

    Adrian

  4. heer says:

    thanks for being  there