private static void SetResponseForRedirect(IOwinContext context, StrictTransportSecurityOptions options)
{
var response = context.Response;
response.StatusCode = 301;
response.ReasonPhrase = options.RedirectReasonPhrase(301);
response.Headers[HeaderConstants.Location] = options.RedirectUriBuilder(context.Request.Uri);
}
private static string ConstructHeaderValue(StrictTransportSecurityOptions options)
{
var age = MaxAge(options.MaxAge);
var subDomains = IncludeSubDomains(options.IncludeSubDomains);
var preload = Preload(options.Preload);
return "{0}{1}{2}".FormatWith(age, subDomains, preload);
}
private static string ConstructHeaderValue(StrictTransportSecurityOptions options)
{
var age = MaxAge(options.MaxAge);
var subDomains = IncludeSubDomains(options.IncludeSubDomains);
var preload = Preload(options.Preload);
return("{0}{1}{2}".FormatWith(age, subDomains, preload));
}
private static void SetResponseForRedirect(IOwinContext context, StrictTransportSecurityOptions options)
{
var response = context.Response;
response.StatusCode = 301;
response.ReasonPhrase = options.RedirectReasonPhrase(301);
response.Headers[HeaderConstants.Location] = options.RedirectUriBuilder(context.Request.Uri);
}
public static Func<Func<IDictionary<string, object>, Task>, Func<IDictionary<string, object>, Task>> StrictTransportSecurityHeader(StrictTransportSecurityOptions options)
{
return next =>
env => {
var context = env.AsContext();
var request = context.Request;
if (RedirectToSecureTransport(options, request)) {
SetResponseForRedirect(context, options);
return Task.FromResult(0);
}
// Only over secure transport (http://tools.ietf.org/html/rfc6797#section-7.2)
// Quotation: "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport."
if (request.IsSecure) {
var response = context.Response;
var state = new State<StrictTransportSecurityOptions> {
Settings = options,
Response = response
};
response.OnSendingHeaders(ApplyHeader, state);
}
return next(env);
};
}
/// <summary>
/// Adds the "Strict-Transport-Security" (STS) header to the response.
/// </summary>
/// <param name="builder">The OWIN builder instance.</param>
/// <param name="options">The Strict-Transport-Security options.</param>
/// <returns>The OWIN builder instance.</returns>
public static BuildFunc StrictTransportSecurity(this BuildFunc builder, StrictTransportSecurityOptions options = null)
{
options = options ?? new StrictTransportSecurityOptions();
builder(_ => StrictTransportSecurityHeaderMiddleware.StrictTransportSecurityHeader(options));
return(builder);
}
/// <summary>
/// Adds the "Strict-Transport-Security" (STS) header to the response.
/// </summary>
/// <param name="builder">The OWIN builder instance.</param>
/// <param name="options">The Strict-Transport-Security options.</param>
/// <returns>The OWIN builder instance.</returns>
public static BuildFunc StrictTransportSecurity(this BuildFunc builder, StrictTransportSecurityOptions options = null)
{
options = options ?? new StrictTransportSecurityOptions();
builder(_ => StrictTransportSecurityHeaderMiddleware.StrictTransportSecurityHeader(options));
return builder;
}
public static Func <Func <IDictionary <string, object>, Task>, Func <IDictionary <string, object>, Task> > StrictTransportSecurityHeader(StrictTransportSecurityOptions options)
{
return(next =>
env => {
var context = env.AsContext();
var request = context.Request;
if (RedirectToSecureTransport(options, request))
{
SetResponseForRedirect(context, options);
return Task.FromResult(0);
}
// Only over secure transport (http://tools.ietf.org/html/rfc6797#section-7.2)
// Quotation: "An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport."
if (request.IsSecure)
{
var response = context.Response;
var state = new State <StrictTransportSecurityOptions> {
Settings = options,
Response = response
};
response.OnSendingHeaders(ApplyHeader, state);
}
return next(env);
});
}
private static bool RedirectToSecureTransport(StrictTransportSecurityOptions options, IOwinRequest request)
{
return(options.RedirectToSecureTransport && !request.IsSecure);
}
private static bool RedirectToSecureTransport(StrictTransportSecurityOptions options, IOwinRequest request)
{
return options.RedirectToSecureTransport && !request.IsSecure;
}
