From 6045abe21b5e449bc4bf1f6a8a9e902c75542e0c Mon Sep 17 00:00:00 2001 From: Rick Anderson Date: Fri, 3 Aug 2018 17:08:05 -0600 Subject: [PATCH] Update enforcing-ssl.md (#7945) --- aspnetcore/security/enforcing-ssl.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/aspnetcore/security/enforcing-ssl.md b/aspnetcore/security/enforcing-ssl.md index 6085385ff7..265935e80c 100644 --- a/aspnetcore/security/enforcing-ssl.md +++ b/aspnetcore/security/enforcing-ssl.md @@ -108,7 +108,10 @@ Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) i ## HTTP Strict Transport Security Protocol (HSTS) -Per [OWASP](https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project), [HTTP Strict Transport Security (HSTS)](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet) is an opt-in security enhancement that's specified by a web app through the use of a special response header. When a browser that supports HSTS receives this header, it stores configuration for the domain that prevents sending any communication over HTTP and instead forces all communication over HTTPS. It also prevents the user from using untrusted or invalid certificates, disabling the browser prompts that allow a user to temporarily trust such a certificate. +Per [OWASP](https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project), [HTTP Strict Transport Security (HSTS)](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet) is an opt-in security enhancement that's specified by a web app through the use of a response header. When a browser that supports HSTS receives this header: + +* The browser stores configuration for the domain that prevents sending any communication over HTTP. The browser forces all communication over HTTPS. +* The browser prevents the user from using untrusted or invalid certificates. The browser disables prompts that allow a user to temporarily trust such a certificate. ASP.NET Core 2.1 or later implements HSTS with the `UseHsts` extension method. The following code calls `UseHsts` when the app isn't in [development mode](xref:fundamentals/environments):