csharp.lang.security.missing-hsts-header.missing-hsts-header

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

The HSTS HTTP response security header is missing, allowing interaction and communication to be sent over the insecure HTTP protocol.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-hsts-header
    pattern-either:
      - patterns:
          - pattern-inside: |
              public void Configure(...) {
                  ...
                  (IApplicationBuilder $APP). ...;
                  ...
              }
          - focus-metavariable: $APP
          - pattern-not-inside: |
              public void Configure(...) {
                  ...
                  (IApplicationBuilder $APP).UseHsts(...);
                  ...
              }
      - patterns:
          - pattern-inside: |
              public void ConfigureServices(...) {
                  ...
                  (IServiceCollection $SERVICES). ...;
                  ...
              }
          - focus-metavariable: $SERVICES
          - pattern-not-inside: |
              public void ConfigureServices(...) {
                  ...
                  (IServiceCollection $SERVICES).AddHsts(...);
                  ...
              }
    message: The HSTS HTTP response security header is missing, allowing interaction
      and communication to be sent over the insecure HTTP protocol.
    metadata:
      category: security
      technology:
        - dotnet
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-346: Origin Validation Error"
      references:
        - https://cwe.mitre.org/data/definitions/346.html
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    languages:
      - csharp
    severity: WARNING

Examples

missing-hsts-header.cs

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        // ruleid: missing-hsts-header
        app.UseDeveloperExceptionPage();
    }
    else
    {
        // ruleid: missing-hsts-header
        app.UseExceptionHandler("/Error");
    }
    // ruleid: missing-hsts-header
    app.UseHttpsRedirection();
    // ruleid: missing-hsts-header
    app.UseStaticFiles();
    // ruleid: missing-hsts-header
    app.UseRouting();
    // ruleid: missing-hsts-header
    app.UseAuthentication();
    // ruleid: missing-hsts-header
    app.UseAuthorization();
    // ruleid: missing-hsts-header
    app.UseSession();
    // ruleid: missing-hsts-header
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapRazorPages();
    });

}


public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{

    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Error");
        // ok: missing-hsts-header
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseStaticFiles();

    app.UseRouting();

    app.UseAuthentication();
    app.UseAuthorization();

    app.UseSession();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapRazorPages();
    });

}

public void ConfigureServices(IServiceCollection services)
{
    // ruleid: missing-hsts-header
    services.AddControllers();

 }

public void ConfigureServices(IServiceCollection services)
{

    services.AddControllers();
    // ok: missing-hsts-header
    services.AddHsts(options =>
    {
        options.Preload = true;
        options.IncludeSubDomains = true;
        options.MaxAge = TimeSpan.FromDays(365);
    });
}