This repository has been archived by the owner on Dec 14, 2018. It is now read-only.
RequireHttps - should it be redirect 302 by default? #4561
Assignees
Labels
Milestone
Comments
|
@blowdart any thoughts on this? It's not directly security related but I figured you might have some thoughts. |
|
Make it configurable. |
|
301 by default? |
|
302 by default. |
Eilon
added
the
up-for-grabs
|
I think 302 can make it for RC2. Its a minimal one line change and fixes this bug and is a candidate for ask mode given the consequences on peoples paid for domains. changed to filterContext.Result = new RedirectResult(newUrl);
Leave the up for grabs for the enhancement. |
|
@sebastienros we have a PR for this at #4602 that just needs to be reviewed and merged. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
RequireHttps uses a 301 permanent redirect.
Mvc/src/Microsoft.AspNetCore.Mvc.Core/RequireHttpsAttribute.cs
Line 87 in ee2cfa1
It used to be 302 in MVC 5 AFAIK so this adds to the confusion.
All the major browsers cache 301 indefinitely so if you use RequireHttps in your code you can never remove it.
Otherwise you will have code that may not match the behaviour of your site depending on the state of the users browser cache. This can cause some confusion without an in depth knowledge of browser behaviour and 301 vs. 302.
I realise I could override the attribute to say something like RequireHttpsNotPermanent but given the one way street that is 301 I propose making RequireHttps 302 (like it used to be) by default. Make 301 an opt in so you are aware of the consequences.
Perhaps with an overridden RequireHttpsPermanent or RequireHttps("Permanent") attribute for 301.
Discussed at length here
aspnet/Security#798
The text was updated successfully, but these errors were encountered: