csharp.lang.security.missing-hsts-header.missing-hsts-header
semgrep
Author
unknown
Download Count*
License
The HSTS HTTP response security header is missing, allowing interaction and communication to be sent over the insecure HTTP protocol.
Run Locally
Run in CI
Defintion
rules:
- id: missing-hsts-header
pattern-either:
- patterns:
- pattern-inside: |
public void Configure(...) {
...
(IApplicationBuilder $APP). ...;
...
}
- focus-metavariable: $APP
- pattern-not-inside: |
public void Configure(...) {
...
(IApplicationBuilder $APP).UseHsts(...);
...
}
- patterns:
- pattern-inside: |
public void ConfigureServices(...) {
...
(IServiceCollection $SERVICES). ...;
...
}
- focus-metavariable: $SERVICES
- pattern-not-inside: |
public void ConfigureServices(...) {
...
(IServiceCollection $SERVICES).AddHsts(...);
...
}
message: The HSTS HTTP response security header is missing, allowing interaction
and communication to be sent over the insecure HTTP protocol.
metadata:
category: security
technology:
- dotnet
owasp:
- A07:2021 - Identification and Authentication Failures
cwe:
- "CWE-346: Origin Validation Error"
references:
- https://cwe.mitre.org/data/definitions/346.html
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authentication
languages:
- csharp
severity: WARNING
Examples
missing-hsts-header.cs
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
// ruleid: missing-hsts-header
app.UseDeveloperExceptionPage();
}
else
{
// ruleid: missing-hsts-header
app.UseExceptionHandler("/Error");
}
// ruleid: missing-hsts-header
app.UseHttpsRedirection();
// ruleid: missing-hsts-header
app.UseStaticFiles();
// ruleid: missing-hsts-header
app.UseRouting();
// ruleid: missing-hsts-header
app.UseAuthentication();
// ruleid: missing-hsts-header
app.UseAuthorization();
// ruleid: missing-hsts-header
app.UseSession();
// ruleid: missing-hsts-header
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// ok: missing-hsts-header
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseSession();
app.UseEndpoints(endpoints =>
{
endpoints.MapRazorPages();
});
}
public void ConfigureServices(IServiceCollection services)
{
// ruleid: missing-hsts-header
services.AddControllers();
}
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
// ok: missing-hsts-header
services.AddHsts(options =>
{
options.Preload = true;
options.IncludeSubDomains = true;
options.MaxAge = TimeSpan.FromDays(365);
});
}
Short Link: https://sg.run/8JkN