I want to enable strict transport security.
MY website is a https enable.
Below is my code to enable hsts.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
**<add name="Strict-Transport-Security" value="max-age=31536000"/>**
.....
</customHeaders>
</httpProtocol>
Is above setting is enough to make strict transport security enable or do i also need to add below setting ie.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
redirectType="Permanent" />
</rule>
</rules>
<outboundRules>
<rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
<match serverVariable="RESPONSE_Strict_Transport_Security"
pattern=".*" />
<conditions>
<add input="{HTTPS}" pattern="on" ignoreCase="true" />
</conditions>
<action type="Rewrite" value="max-age=31536000" />
</rule>
</outboundRules>
</rewrite>
If both setting are mandatory then what is the need for rewrite
can we enable hsts by only
or by only
rewrite .
Why rewrite is required.
This site says to add rewrite alogn with
<add name="Strict-Transport-Security" value="max-age=31536000"/>
This header force the browser to use HTTPS. If the application has HTTP link given somewhere or if the user tries to enter URL with HTTP, the browser will redirect him to https. To use HSTS, the site need valid SSL certificate. The rewrite is not mandatory, but its good to have. Because, if the user first enter the site with https, then whenever he comes to the site, user will be automatically redirected until expiry, also the max age updates on each visit. But if user enters once in http mode, the STS may not work until he use the site in https once. Its better to use the rewrite.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=xxxxxx"/>
</customHeaders>
</httpProtocol>
</system.webServer>
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Related
So i'm using iis 8 and trying to redirect all versions of my site to 1.
Say for example:
http://www.osrshub.com
www.osrshub.com
osrshub.com
http://osrshub.com
https://osrshub.com
https://www.osrshub.com
When a user hits any of these links i need it to redirect to 1 main link.
https://www.osrshub.com
Im using windows server 2012
This rule will redirect everything to https://www.osrshub.com:
<rule name="All in one rule" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAny">
<add input="{HTTPS}" pattern="off" />
<add input="{HTTP_HOST}" pattern="^www\.osrshub\.com$" negate="true" />
</conditions>
<action type="Redirect" url="https://www.osrshub.com/{R:0}" />
</rule>
You need to add this rule in your web.config file
We are running Umbraco 7.4. Due to a corporate security requirement, we need to prevent people from reaching oursite.com/umbraco from anywhere except the server itself as localhost/umbraco. I have tried an IIS rewrite for /umbraco#/ to no avail. I tried an IIS deny rule for /umbraco, but that actually broke some other stuff around our site. Is there some other awesome way to prevent remote access to the Umbraco back office?
I have done a similar thing with IIS rewrite rules where you can only access the back office from a specific set of domains (hence the wildcard matching). You could use this to only allow access from localhost. NOTE, place the rule in the umbraco folder, not the main site web.config. the full web.config contents to place in the umbraco folder is:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Umbraco only from localhost" enabled="true" patternSyntax="Wildcard"
stopProcessing="false">
<match url="*" negate="false" />
<action type="Rewrite" url="/UmbrSubDir404" appendQueryString="false"
logRewrittenUrl="false" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTP_HOST}" pattern="localhost" negate="true" />
<add input="{URL}" pattern="*RestServices/ScheduledPublish*"
negate="true" />
<add input="{URL}" pattern="*umbraco/Api/*" negate="true" />
</conditions>
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
We had a security review that revealed that the cookies in our ASP.NET MVC application were not being set as secure, despite having the following setting in web.config:
<httpCookies requireSSL="true" httpOnlyCookies="true" />
The website is not using forms authentication so no need for <forms requireSSL="true"> setting.
The website is hosted on an AWS app server and is accessed via an ELB. Internally on the app server the website is HTTP but externally it is HTTPS.
I've tried to implement a solution found here:
http://www.jamescrowley.co.uk/2014/03/07/ssl-termination-and-secure-cookiesrequiressl-with-asp-net-forms-authentication/
Added the following rewrite rules to this to web.config:
<rewrite>
<rules>
<rule name="HTTPS_AlwaysOn" patternSyntax="Wildcard">
<match url="*" />
<serverVariables>
<set name="HTTPS" value="on" />
</serverVariables>
<action type="None" />
<conditions>
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" />
</conditions>
</rule>
</rules>
</rewrite>
And added HTTPS variable to the applicationHost.config to contain:
<rewrite>
<allowedServerVariables>
<add name="HTTPS" />
</allowedServerVariables>
</rewrite>
Unfortunately this causes the ELB to fail. When speaking to our internal AWS support team they say this is because the ELB health check is failing. There is a health.html page in the root of the website. Is there a way of applying a condition to the above so that it ignores this for the health.html page which the ELB uses? I'm new to rewrite rules so not fully versed in the syntax and the way they work.
I can't test this yet, but in theory I think you would just need to change your conditions:
<conditions logicalGrouping="MatchAll" >
<add input="{HTTP_X_FORWARDED_PROTO}" pattern="https" />
<add input="{REQUEST_URI}" negate="true" pattern="^/health.html$" ignoreCase="true" />
</conditions>
Currently we are trying to setup a redirect from htttp to https in our web.config limited to the domains we use. But it's not working.
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="^(?:http(?:s)?:\/\/)?(?:[^\\.]+\.)?mysite\.com(\/.*)?$" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
This rule works fine in a regex editor. But not on the webserver. http://rubular.com/r/3NQTozcigZ
^(?:http(?:s)?:\/\/)?(?:[^\\.]+\.)?mysite\.com(\/.*)?$
Looking at the failedreqlogfiles pattern_match is false. Any insights?
After doing some more testing I'm finding that this works.
http://sub.site.com/
But this will not work.
http://sub.site.com/Account/Logon
The pattern used in url is here only to be matched again the requested path (and only the path, not the url).
If you want to check the domain as well as if https is used or not, you have to rely on the conditions:
<rule name="Redirect mysite.com to HTTPS" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="^OFF$" />
<add input="{HTTP_HOST}" pattern="mysite\.com$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:0}" />
</rule>
This rule will check that both conditions are true (that is what logicalGrouping="MatchAll" is here for) on any path (.*):
The request was not using HTTPS
The domain requested ends with mysite.com
For reference: http://www.iis.net/learn/extensions/url-rewrite-module/url-rewrite-module-configuration-reference#Accessing_URL_Parts_from_a_Rewrite_Rule
Do you need the regex? If you're just redirecting all traffic to HTTPS, something like this should work:
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action
type="Redirect"
redirectType="Permanent"
url="https://{HTTP_HOST}{REQUEST_URI}"
appendQueryString="false"
/>
</rule>
I'd be inclined to use redirectType="Permanent" instead of "Found", since an HTTP 301 response is generally better for SEO.
If you're permanently moving your site to HTTPS, you might also want to look at sending the Strict-Transport-Security header. This will ensure that modern browsers never request your site over a non-secure connection.
I have a problem. On IIS I got a web-site with two ports 80 and 443(https). I want to redirect all the http requests from user to https. I also added Rewrite rule to https, but when I enter in browser http://localhost/site it gives me the same page. I need to redirect user to httpS://localhost/site.
Maybe this is because of my local configurations?
And I disable Require SSL on IIS.
The rule is:
<rewrite>
<rules>
<rule name="HTTPS Redirect">
<match url="(.*)" ignoreCase="false" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="false" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}{REQUEST_URI}" />
</rule>
</rules>
</rewrite>
Thank you.
Below is the exact rule we use on a production IIS 7 site to redirect all request from HTTP to HTTPS
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Found" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
There are some minor differences between what you have posted and what we use. Also, since you are running on local host, you wouldn't be using the built-in web server with visual studio would you? I don't think it will process IIS rewrite rules.
I realize this may not be your issue, however I had a similar debacle that was cause by a different problem.
I had enabled Require SSL and that caused the site to continually return a 403. So to use this method it appears you must disable SSL Settings -> Require SSL.
Hope this helps someone.
Also, if you have more than one rule, order could matter. Be sure to add the redirect rule before other rules or redirect may not fire.
Here is an example that is using SPA that required the rule order.
<rules>
// Adding this as last rule will cause it to not redirect
<rule name="HTTP/S to HTTPS Redirect" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny">
<add input="{SERVER_PORT_SECURE}" pattern="^0$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
</rule>
<rule name="static dist files" stopProcessing="true">
<match url="^(.+)" />
<conditions>
<add input="{APPL_PHYSICAL_PATH}app\{R:1}" matchType="IsFile" />
</conditions>
<action type="Rewrite" url="/app/{R:1}" />
</rule>
<rule name="index.html as document root" stopProcessing="true">
<match url="^$" />
<action type="Rewrite" url="/app/" />
</rule>
<rule name="SPA Routes" stopProcessing="true">
<match url=".*|.*/.*$" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_URI}" pattern="^/(api)" negate="true" />
</conditions>
<action type="Rewrite" url="/app/" />
</rule>
</rules>
It works for me in IIS 8.5
redirect
Three points:
Use single word OFF rather than ^OFF$
Use url="https://{HTTP_HOST}/{REQUEST_URI}"
Use redirectType=Permanent rather than Found although both are working but preferable Permanent type in this case
The webconfig code
<rewrite>
<rules>
<rule name="Redirect to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="OFF" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{REQUEST_URI}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
you can add this to your pages. to force redirection.
if (!Request.IsSecureConnection)
{
Uri uri = new Uri(Request.Url, Request.RawUrl);
Response.Redirect(string.Format("https://{0}{1}{2}", uri.Host.StartsWith("www.x.com") ? uri.Host : "www.x.com", uri.AbsolutePath, uri.Query));
}
I just seen your tag of mvc
add this attribute to your actions. or controllers.
[RequireHttps]