azure-functions-host BUG: HSTS stopped working.

We enabled HSTS around 2024-08-29 but now (2024-10-10) it is no longer working. The header is no longer sent. This applies to both the *.azurewebsites.net domain and our custom domain.

We have made no other configuration changes in this period.

host.json:

{
    "version": "2.0",
    ...
    "extensions": {
        ...
        "http": {
            "hsts": {
                "isEnabled": true,
                "maxAge": "730",
                "includeSubDomains": true,
                "preload": true
            }
        }
    }
}

Runtime Stack: DOTNET-ISOLATED|8.0 Runtime Version: 4.1036.2.2 OS: Linux Plan: Premium V3 (App Service Plan) Region: North Europe

Docs for the HSTS setting can be found here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp#hostjson-settings

Oct 10 '24 08:10 cr3wdayt5p

Hi @cr3wdayt5p Thanks for reporting there may be this reason. If you're using a custom domain, double-check that your SSL certificate bindings are still in place and valid. HSTS requires a valid SSL certificate. If the certificate expired or was removed, the HSTS header won't be sent.

Oct 22 '24 11:10 bhagyshricompany

Hi @bhagyshricompany

The certificate is assigned by Azure and is still valid (expiration 2025-01-23). The custom domain binding has also not been touched and is valid (see image).

Oct 22 '24 12:10 cr3wdayt5p

My guess is that your bug is related to either the App Service Environment plan or to the Linux host.

We have another Azure Function running on the Dynamic plan on a Windows host in the same region (North Europe) with identical HSTS configuration – and this works. That host is also running a slightly newer runtime (4.1036.3.23284).

Oct 22 '24 12:10 cr3wdayt5p

will check and update.

Nov 04 '24 16:11 bhagyshricompany

please ref this doc .https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-8.0&source=recommendations&tabs=visual-studio%2Clinux-ubuntu%2Clinux-sles

Why? What would I be looking for there? You are linking to some ASP.NET thing – which does not appear to be related to Azure Functions at all.

The documentation for HSTS setup for Azure Functions is here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp And it is quite simple – and it used to work – but now it has stopped working due some apparent bug on the Azure side.

Nov 05 '24 21:11 cr3wdayt5p

please provide your code for azure fuc and sdk version you have used.Thanks

Nov 12 '24 12:11 bhagyshricompany

Our code contains nothing fancy regarding the setup. When our stuff is filtered out it is basically the default template.

host.json: See above.

OurProjectName.fsproj:

<?xml version="1.0" encoding="utf-8"?>
<Project Sdk="Microsoft.NET.Sdk">
    <PropertyGroup>
        <TargetFramework>net8.0</TargetFramework>
        <AzureFunctionsVersion>v4</AzureFunctionsVersion>
        <OutputType>Exe</OutputType>
    </PropertyGroup>
    <ItemGroup>
        <None Include="host.json">
            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
        </None>
    </ItemGroup>
    <ItemGroup>
        <!-- ... -->
        <Compile Include="Functions.fs" />
        <Compile Include="Program.fs" />
    </ItemGroup>
    <ItemGroup>
        <PackageReference Update="FSharp.Core" Version="8.0.403" />
        <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.23.0" />
        <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="2.0.0" />
        <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.2.0" />
        <!-- ... -->
    </ItemGroup>
</Project>

Program.fs:

module OurProjectName.Program

open Microsoft.Extensions.Hosting

[<EntryPoint>]
HostBuilder().ConfigureFunctionsWorkerDefaults().Build().Run ()

Functions.fs:

namespace OurProjectName

open System
open System.Threading.Tasks
open Microsoft.Azure.Functions.Worker
open Microsoft.Azure.Functions.Worker.Http
open Microsoft.Extensions.Logging

// ...


type Functions (logger : ILogger<unit>) =
    [<Function("Ping")>]
    member _.Ping ([<HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "ping")>] req : HttpRequestData, funcCtx : FunctionContext) =
        async {
            let resp = req.CreateResponse System.Net.HttpStatusCode.OK
            do resp.WriteString "pong"
            return resp
        }
        |> Async.StartAsTask

    // ...

Everything works as expected except for HSTS.

Nov 18 '24 08:11 cr3wdayt5p

H @cr3wdayt5p Thanks for your input will check and update you.Thanks

Nov 19 '24 10:11 bhagyshricompany

HSTS headers will only work if the client accesses the app over HTTPS. If a client attempts to use HTTP and redirection is not enforced, the HSTS headers will not be received. please check the same.Thanks

Nov 26 '24 11:11 bhagyshricompany

I only test over HTTPS.

And our app has this setting:

Nov 26 '24 11:11 cr3wdayt5p

It looks like your team has fixed the bug 🎉

The HSTS header is back :)

It took a while – but thank you.

We did not change anything.

Nov 26 '24 11:11 cr3wdayt5p

Thanks for update.

Nov 26 '24 11:11 bhagyshricompany