Learn how the HTTP Strict-Transport-Security (HSTS) header works, and how it can improve HTTPS security even further. Nate explains how to add the HSTS header to ASP.NET Core using middleware.
- [Instructor] Our API will automatically redirect requests to HGDPS but we can take it a step further. If we return the HGDP strict transport security or HSTS header, browsers and other clients that honor the HSTS header will force all connections to start with HGDPS. And won't even allow a connection attempt over plain HGDP. This is and edge case but it's easy to add. To install a helper package in the project. I'll do that from the NuGet package explorer.
I need to install the nwevsec.aspnetcore.middlewarepackage. Once that package is installed, in the startup class I need to go all the way in the bottom to the configure method where we're setting up the application pipeline. Right above the UseMvc line, I need to add app.UseHsts. Will pass a couple of options.
First, we want to set the maximum age for the header. Max age controls how long a browser or client will remember the HSTS setting. Right now I'll just set it to 180 days. It's common to set this value very high in production such as a year. I also want to set the IncludeSubdomains flag which will mean HSTS applies not just to the root domain of this API, but any potential sub-domains. Finally I want to set the Preload flag. Preload indicates that the browser or client is allowed to assume the site uses HSTS if the site is submitted to a common list of HSTS enabled websites.
After adding this middleware to the application pipeline the response will include the HSTS header. Let's check it out. If I make another request with Postman and check the headers collection, I can see the strict transport security or HSTS header with the max age, include sub-domains and preload flags set. For browsers and clients that respect the HSTS header this adds an additional layer of transport security to the application. Ensuring the requests can't be accidentally made over HDAP.
- REST vs. RPC
- Using HTTP methods (aka verbs)
- Returning JSON
- Creating a new API project
- Building a root controller
- Routing to controllers with templates
- Requiring HTTPS for security
- Creating resources and data models
- Returning data and resources from a controller
- Representing links (HREFs)
- Representing collections
- Sorting and searching collections
- Creating forms
- Caching and compression
- Authentication and authorization for RESTful APIs
Skill Level Intermediate
Building Web APIs with ASP.NET Corewith Chris Woodruff1h 7m Intermediate
Deploying ASP.NET Core Applicationswith Nate Barbettini57m 57s Intermediate
1. REST API Concepts
2. Building a Basic API
3. Securing the API
4. Representing Resources
5. Representing Links
6. Representing Collections
7. Sorting Collections
8. Searching Collections
9. Forms and Modifying Data
10. Caching and Compression
11. Authentication and Authorization
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.