0

I Have 2 web applications: MVC & Blazor webassembly.

In MVC project I was able to set up the application to enforce the strict-transport-security by adding HSTS Middleware in startup class by following the instructions in Microsoft documentation.

The question is: how can I configure a Blazor webassembly to enforce strict-transport-security in its response headers?

I tried that by adding the following web.config file to the project:

<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
  <location>
    <system.webServer>
      <security xdt:Transform="Insert">
        <requestFiltering removeServerHeader="true" />
      </security>
      <httpProtocol xdt:Transform="Insert">
        <customHeaders>
          <remove name="X-Powered-By" />
          <add name="Strict-Transport-Security" value="max-age=31536000" />
       </customHeaders>
      </httpProtocol>
    </system.webServer>
  </location>
</configuration>

But I could not deploy the application after adding this config file.

Husam Ebish
  • 1,016
  • 1
  • 10
  • 29
  • Blazor WASM runs in the browser, it has no responses. What you refer to is the ASP.NET Core site you use to host it. That's the same kind of site as your ASP.NET Core MVC site and most likely *already* configured for STS. – Panagiotis Kanavos Jan 15 '21 at 13:30
  • The docs you linked to don't mention anything about web.config. If you use Kestrel to host your WASM application, `web.config` has no effect – Panagiotis Kanavos Jan 15 '21 at 13:32

0 Answers0