Skip to content

HSTS for Cloud guidance is outdated #8207

Description

@ainokarita

What type of issue is it? (Choose one - delete the others)

Wrong documentation

What article/section is this about?

https://docs.umbraco.com/umbraco-cloud/build-and-customize-your-solution/set-up-your-project/security?ask=how+is+this+done+in+umbraco+cms+v.+17?#http-strict-transport-security-hsts

Describe the issue

The 2nd option mentions Startup.cs, which is no longer used since v13.
The HSTS is to be implemented in Program.cs.
In CMS documentation we suggest:
https://docs.umbraco.com/umbraco-cms/run-in-production/infrastructure-and-ops/health-check/guides/stricttransportsecurityheader
Microsoft documentation has quidance on how to do this slightly differently:
https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-10.0&tabs=visual-studio%2Clinux-ubuntu#http-strict-transport-security-protocol-hsts

To use it only in production:

if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

and then add the HSTS options:

builder.Services.AddHsts(options =>
{
    options.Preload = true;
    options.IncludeSubDomains = true;
    options.MaxAge = TimeSpan.FromDays(60);
    options.ExcludedHosts.Add("example.com");
    options.ExcludedHosts.Add("www.example.com");
});

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions