Today in this article, we will cover below aspects,

Issue Description

ASP.NET Core API or Website runtime gives below error,

Failed to determine the HTTPS port for the redirect

Resolution

This issue generally occurs when configuring the HTTP Strict Transport Security (HSTS) header in the website or API. It is recommended to use HTTPS Vs HTTP protocol.

This is the default ASP.NET behavior where the recommendation is as below,

• The use of HSTS means all requests will be routed to HTTPS.
• Also, the ability to re-direct insecure requests(HTTP) to secure HTTPS.

Below is the sample code,

 
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseHsts();
            }

            app.UseHttpsRedirection();

.
.

     }
   

Above we have used middleware UseHttpsRedirection which redirects any HTTP request to a secured HTTPS request.

While redirecting the port must be available to redirect the request.

This can also be achieved by setting the variable port using any of the approaches discussed.

All the below approaches ultimately set the environment variable ASPNETCORE_HTTPS_PORT. Please see below for more details on various approaches to setting up the port.

Approach 1 – Configure X-Forwarded headers

Configure the API middleware with ForwardedHeadersOptions to forward the two headers in the headers in Startup.ConfigureServices.

• X-Forwarded-For 

• X-Forwarded-Proto 

  public void ConfigureServices(IServiceCollection services)
        {
            services.AddControllers();

            services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders =
                    ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
            });
       ...
       ...

        }

Also, update the configure method as below,

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseForwardedHeaders();

        if (env.IsDevelopment())
        {
             app.UseDeveloperExceptionPage();
        }
        else
        {
            app.UseHsts();
        }

Please note to enable this middleware as the first middleware in the API Pipeline order.

If you see any issues with the above approach, please try setting up an HTTP port explicitly to resolve the issue which can be achieved using any of the below approaches.

Approach 2- Setting up HTTP Port

If the above approach for the Proto header forward doesn’t work for you, you may try the below approach.

All the below approaches to set the environment variable ASPNETCORE_HTTPS_PORT, you can use any of the below approaches to do the same.

• Set the environment variable ASPNETCORE_HTTPS_PORT explicitly with the port number.

• Using apsettings.json , please add the key value as “https_port“: 443

{
    "https_port": 443,

    "Logging": {
        "LogLevel": {
            "Default": "Information",
            "Microsoft": "Warning",
            "Microsoft.Hosting.Lifetime": "Information"
        }
    },
    "AllowedHosts": "*"
}

• HTTPS port can also be set by using the AddHttpsRedirection middleware option as below,

• To set the port number for https_port use configuration or call UseSetting by using Generic Host Builder

If the reverse proxy already handles HTTPS redirection, then don’t use HTTPS Redirection Middleware. 

References :

• ASP.NET Core adds HSTS Security Headers

Did I miss anything else in these resolution steps?

Did the above steps resolve your issue? Please sound off your comments below!

Happy Coding !!

Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published (2025) best practices and guidelines for software design and development.

The post Resolved-Failed to determine the HTTPS port for the redirect first appeared on TheCodeBuzz.

Today in this article, we shall see in ASP.NET Core how to Add HSTS Security Headers to Web/API applications.

Today we will cover the following aspects in this article,

Most of these headers once added to response headers use in-built browser features to protect your data and communication over the network.

Types of Security Headers

Below are the various security headers which can be used in various contexts as needed.

• HTTP Strict Transport Security (HSTS)

• X-Frame-Options

• X-Content-Type-Options

• Content-Security-Policy

• X-XSS-Protection

Enable HTTP Strict Transport Security (HSTS) in .NET Core

Characteristics and guidelines

This header provides below characteristics (but are not limited to), and guidelines for building secured applications

• It allows the websites or API owners to declare their website/API is accessible only via secure connections.

• It allows the user of the website to interact with the website/API in secure connections.

• It protects the websites against protocol downgrade attacks.

• It protects the website’s action against cookie hijacking.

• It allows interaction with HTTPS connections only.

• The server implements Strict-Transport-Security by adding a header over an HTTPS connection.

• HSTS Headers are ingonred over HTTP.

• The browser restricts the user from using untrusted or invalid certificates. 

• The browser disables prompts that allow a user to temporarily trust such a certificate.

Adding HSTS in ASP.NET Core

Adding HSTS in ASP.NET Core can be achieved using the middleware component easily. We shall see both inline middleware and custom middleware techniques.

Syntax :

Strict-Transport-Security: max-age=<time>
Strict-Transport-Security: max-age=<time>; includeSubDomains
Strict-Transport-Security: max-age= <time>; preload

Directives details:

• max-age=<expire-time> – (Required) – Time in seconds. This is the duration of time the browser remembers that a site is only to be accessed using HTTPS.

• includeSubDomains – (Optional) – Enables include SubDomain parameter of the Strict-Transport-Security header.

• preload- (Optional) – preload is supported by web browsers but is not part of the RFC specification yet.

Example:

 content-type: application/json; charset=utf-8 
 date: Sun24 Jan 2021 00:01:09 GMT 
 server: Microsoft-IIS/10.0 
 strict-transport-security: max-age=31536000 ; includeSubDomains;preload
 x-powered-by: ASP.NET 

In the above example,

• max-age is set to 1 year
• suffixed with preload, (necessary for inclusion in all major web browsers’ HSTS preload lists, like Chromium, Edge, and Firefox.)

Strict-Transport-Security can be added to ASP.NET Core API programmatically using the middleware approach which is discussed below in more detail.

The below code helps you add the HSTS middleware component to the API pipeline as below,

Step 1

In the ConfigureServices, using AddHsts which adds the required HSTS services

public void ConfigureServices(IServiceCollection services)
        {

            services.AddControllers();

            services.AddHsts(options =>
            {
                options.Preload = true;
                options.IncludeSubDomains = true;
                options.MaxAge = TimeSpan.FromDays(365);
            });

..

..

       }

Step 2

In the Configure method add UseHsts middleware for using HSTS, which adds the Strict-Transport-Security header.

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();

            }
            else
            {
                app.UseHsts();

            }
..
..
..
      }

The default HSTS value is 30 days if not specified.

With the above basic steps, the ASP.NET Core application hosted on IIS or Clouds should be able to send HTTP Strict Transport Security Protocol (HSTS) headers to clients.

Using PostMan,

UseHttpsRedirection middleware

As per Microsoft guidelines, the production ASP.NET Core app should also use HTTPS Redirection Middleware to redirect HTTP requests to HTTPS.

This can be done by adding UseHttpsRedirection a Redirection middleware in the API.

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseHsts();
    }

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapRazorPages();
    });
}

Apps deployed with a reverse proxy and capable of handling HTTPS redirection don’t need to use HTTPS Redirection Middleware.

For more information please refer to Microsoft guidelines

Redirection Middleware will need a port to be available to redirect an HTTP request to HTTPS else error “Failed to determine the HTTPS port for the redirect.” will be thrown.

Additional Guidelines

• Do not use HSTS in a local development environment. HSTS setting is recommended to be used in a Prod environment.

• HSTS settings are cached by the browser.

• HSTS settings are ignored over an HTTP connection.

• HSTS excludes the below loopback host. Example
  • localhost
  • 127.0.0.1
  • [::1]

References:

If you want to set various headers like X-Frame-Option X-Content-Type-Options Content-Security-Policy X-XSS-Protection, please visit the below article for more details,

• Important Security Headers any application should use – Usage and Guidelines

Do you have any comments or ideas or any better suggestions to share?

Please sound off your comments below.

Happy Coding !!

Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published (2025) best practices and guidelines for software design and development.

The post ASP.NET Core How to Add HSTS Security Headers first appeared on TheCodeBuzz.

Today in this article, we shall cover ASP.NET Core Security Headers Guidelines. We will see how to enable security headers as part of security best practices protecting our ASP.NET Core API.

I shall talk about more specific headers which are always good to have and recommended as per the OWASP specifications.

These headers are simple to use and can be incorporated into your API or Web Application with simple easy-to configure steps.

Most of these headers once added to response headers use inbuilt browser features to protect your data and communication over the network.

We will cover the below aspects in the article,

Response Headers

Below are the various response headers which can be used in various contexts as needed. We shall be covering a few, important basic headers in this article.

• HTTP Strict Transport Security (HSTS)
• X-Frame-Options
• X-Content-Type-Options
• X-Permitted-Cross-Domain-Policies
• Referrer-Policy
• Content-Security-Policy
• Feature-Policy
• Public Key Pinning Extension for HTTP (HPKP)
• Expect-CT
• X-XSS-Protection

Out of all the above response headers, one can very much use highlighted headers in most of the use cases. Having above-highlighted headers are always good to have and help our API or Website secured well enough.

Let’s get started.

HTTP Strict Transport Security (HSTS)

HSTS is an IETF standard, Strict Transport Security protocol, and is as per specification and standards specified in RFC 6797. It allows the web sites owner to declare their website is accessible only via secure connections. It allows the user of the website to interact with the website in secure connections.

Syntax :

Enabling HSTS in ASP.NET Core is simple and it is explained in detail in the below article.

Example

 public void ConfigureServices(IServiceCollection services)
        {

            services.AddControllers();

            services.AddHsts(options =>
            {
                options.Preload = true;
                options.IncludeSubDomains = true;
                options.MaxAge = TimeSpan.FromDays(365);
            });
''
''
''
         }

//
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseHsts();
            }

For more details, please visit this article,

• Add HSTS Security Headers ASP.NET Core

X-Content-Type-Options

This is one of the headers which secures the content type of the data communicated. This header disables the wrong or malicious interpretation of Content-Type.

This header has only one value “nosniff” i.e do not sniff the content type and choose the only content type specified by the application via Content-Type.

Syntax

X-Content-Type-Options: nosniff

Add X-Content-Type-Options header in ASP.NET Core using middleware as below,

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseHsts();
            }

            app.UseHttpsRedirection();

            app.Use(async (context, next) =>
            {
                context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
                await next.Invoke();
            });
..
..
     }

Content-Security-Policy

A Content-Security-Policy (CSP) header enables you to control the sources/content on your site that the browser can load. So this header gives you the ability to load the only resources needed by the browser.

A Content Security Policy (CSP) helps protect against XSS attacks by informing the browser of valid re-sources like as below,

• Content, scripts, stylesheets, and images.
• Actions are taken by a page, specifying permitted URL targets of forms.
• Plugins that can be loaded.

Syntax

Content-Security-Policy: default-src ‘self’

Add Content-Security-Policy header in ASP.NET Core using middleware as below,

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseHsts();
            }

            app.UseHttpsRedirection();

            app.Use(async (context, next) =>
            {
                context.Response.Headers.Add("Content-Security-Policy", "default-src 'self';");
                await next.Invoke();
            });
    ..
    .. 
       }

X-XSS-Protection

X-XSS-Protection header is for protecting your site from XSS (Cross-site scripting) attacks. If a cross-site scripting attack is detected, the browser will sanitize the page and the malicious part will either be removed OR the browser will prevent rendering of the page and will block an attack (mode=block).

Syntax

Below are the four options for enabling Cross-site scripting.

X-XSS-Protection: 0

X-XSS-Protection: 1

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=<report-uri>

Add X-XSS-Protection header in ASP.NET Core using middleware as below,

After adding all headers together in the middleware component and hosting it cloud below is how we can visualize all the response headers,

References:

• ASP.NET Core HSTS Security Headers Guidelines

That’s all, Enjoy Coding!

Do you have any comments or ideas or any better suggestions to share?

Please sound off your comments below.

Happy Coding !!

Please bookmark this page and share it with your friends. Please Subscribe to the blog to receive notifications on freshly published (2025) best practices and guidelines for software design and development.

The post ASP.NET Core Security Headers Guidelines first appeared on TheCodeBuzz.