AspNetCore.Docs icon indicating copy to clipboard operation
AspNetCore.Docs copied to clipboard
verified publisher icon dotnet

[HTTPS][Docs] Confusing Advises in docs, please make it more clear to understand

Open DevTKSS opened this issue 5 months ago • 4 comments

Description

The documentation article is constantly switching between the advised way to do this (app.UseHtst() or app.UseHttpsRedirection()

  1. Info gotten: Htst is only a Browser advise: Image Okay, so I would understand, we shall not use it, from this statement, especially if we may include mobile targets in the end of our solution 🤔

  2. BUT using app.UseHttpsRedirection() will likly cause Cors Exeptions! Image

  3. looking at a new created Blazor Web App + Server and Individual Accounts Identity (assuming those MS provided Templates are following current standards), we get http in our http ports

     {
  "$schema": "https://json.schemastore.org/launchsettings.json",
    "profiles": {
      "http": {
        "commandName": "Project",
        "dotnetRunMessages": true,
        "launchBrowser": true,
        "inspectUri": "{wsProtocol}://{url.hostname}:{url.port}/_framework/debug/ws-proxy?browser={browserInspectUri}",
        "applicationUrl": "http://localhost:5233",
        "environmentVariables": {
          "ASPNETCORE_ENVIRONMENT": "Development"
        }
      },
      "https": {
        "commandName": "Project",
        "dotnetRunMessages": true,
        "launchBrowser": true,
        "inspectUri": "{wsProtocol}://{url.hostname}:{url.port}/_framework/debug/ws-proxy?browser={browserInspectUri}",
        "applicationUrl": "https://localhost:7226;http://localhost:5233",
        "environmentVariables": {
          "ASPNETCORE_ENVIRONMENT": "Development"
        }
      }
    }
  }

AND we get BOTH mentioned functions listed, while we are unconditionally to Hsts using app.UseHttpsRedirection() Image

Alright, so assuming we should even more avoid using app.UseHttpsRedirects() as it would likly throw errors! 3. Well... now reading that very next section NOW we are indeed advised, to even use BOTH of them?? you are driving me as reader insane 😵‍💫

Additionally, as this is also including the mention of a ReverseProxyConfiguration, could someone make that word a Link to a guide how or with what we can do that?

  1. And now here at the last parts of this page we are told again, that we shall not use Hsts in development: Image

So... sorry if its clear for you as experts, but for me the summary of this article is

Our list of choices is:

  • UseHttpsRedirection()
  • UseHtst()

Your Advises:

  • Do not define any http ports in your launchsettings
  • Do not use app.UseHttpsRedirection() as it will likly throw cors exceptions on you
    • BUT we tell you and provide it to you in our docs + Blazor template
    • Our Template does also not define any Cors for this in exchange
  • Do not use app.UseHsts() in development

What should this also include

I would like to set this up correctly so I would not get the known cors / antiforgery header issues for a WebAssembly dotnet/runtime features using app + use https, and was advised to use this article page😅🤷

Page URL

https://learn.microsoft.com/de-de/aspnet/core/security/enforcing-ssl?view=aspnetcore-9.0&tabs=visual-studio%2Clinux-sles

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/enforcing-ssl.md

Document ID

12ca0b9a-2638-a4ce-c45f-d4579c83dafb

Platform Id

e161f75c-cfd4-c97f-1775-dd3922db0100

Article author

@tdykstra

Metadata

  • ID: c7ddfb2f-5dea-5e31-2a27-02a4dc16104c
  • PlatformId: e161f75c-cfd4-c97f-1775-dd3922db0100
  • Service: aspnet-core
  • Sub-service: security

Related Issues

Associated WorkItem - 498816

DevTKSS avatar Jul 24 '25 10:07 DevTKSS

@guardrex to exactly that docs you did link me to lookup for hsts I created an issue some while ago, with as much as details as I would have, so the team can hopefully clear this up and improve the confusing parts. Its of course great to look this up, but if you try to learn something new, and the docs are telling you to: Do - not do - Do - not do for exactly that thing you try to correctly implement, well then its hard to learn 😅

DevTKSS avatar Sep 11 '25 19:09 DevTKSS

@DevTKSS ... This article isn't my responsibility. Tom manages this one, so he would need to respond on this issue. We're more compartmentalized than people think. Even in addition to only working specifically on the ASP.NET Core doc set, we've further subdivided the articles here among three regular doc authors and a few product unit members. I mostly maintain the Blazor articles, not the main doc set articles. The reason that I'm working on about a dozen of the main doc set articles, such as that static files PR, is that that we're rolling more Blazor into the main doc set, and we all feel that it will go a little faster and smoother if I work the issues because I'm the most familiar with Blazor. Anyway ... Tom will need to respond to you on this issue.

guardrex avatar Sep 11 '25 19:09 guardrex

@cmastr not sure if the Copilot testings I seen on the other issues you commented are only that other team but since on this issue AI would have quite a lot details and links about whats problematic, maybe this could indeed be a great opportunity to give it a try?😁 Maybe its better on GitHub then in my IDE where it only messes up everythingand left me with unusable code 🤣

DevTKSS avatar Sep 13 '25 09:09 DevTKSS

It's probably 60/40 if it will work but we can always close the PR if it doesn't. 😊 Well need to review the details closely.

cmastr avatar Sep 13 '25 12:09 cmastr