csharp.lang.security.missing-hsts-header.missing-hsts-header

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

The HSTS HTTP response security header is missing, allowing interaction and communication to be sent over the insecure HTTP protocol.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-hsts-header
    pattern-either:
      - patterns:
          - pattern-inside: |
              public void Configure(...) {
                  ...
                  (IApplicationBuilder $APP). ...;
                  ...
              }
          - focus-metavariable: $APP
          - pattern-not-inside: |
              public void Configure(...) {
                  ...
                  (IApplicationBuilder $APP).UseHsts(...);
                  ...
              }
      - patterns:
          - pattern-inside: |
              public void ConfigureServices(...) {
                  ...
                  (IServiceCollection $SERVICES). ...;
                  ...
              }
          - focus-metavariable: $SERVICES
          - pattern-not-inside: |
              public void ConfigureServices(...) {
                  ...
                  (IServiceCollection $SERVICES).AddHsts(...);
                  ...
              }
    message: The HSTS HTTP response security header is missing, allowing interaction
      and communication to be sent over the insecure HTTP protocol.
    metadata:
      category: security
      technology:
        - dotnet
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-346: Origin Validation Error"
      references:
        - https://cwe.mitre.org/data/definitions/346.html
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - csharp
    severity: WARNING

Examples

missing-hsts-header.cs

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        // ruleid: missing-hsts-header
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Error");
    }
    app.UseHttpsRedirection();    
    app.UseStaticFiles();
    app.UseRouting();
    app.UseAuthentication();
    app.UseAuthorization();
    app.UseSession();
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapRazorPages();
    });

}


public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{

    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseExceptionHandler("/Error");
        // ok: missing-hsts-header
        app.UseHsts();
    }

    app.UseHttpsRedirection();        
    app.UseStaticFiles();

    app.UseRouting();

    app.UseAuthentication();
    app.UseAuthorization();

    app.UseSession();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapRazorPages();
    });

}

public void ConfigureServices(IServiceCollection services)
{
    // ruleid: missing-hsts-header
    services.AddControllers();

 }

public void ConfigureServices(IServiceCollection services)
{

    services.AddControllers();
    // ok: missing-hsts-header
    services.AddHsts(options =>
    {
        options.Preload = true;
        options.IncludeSubDomains = true;
        options.MaxAge = TimeSpan.FromDays(365);
    });
}