| | | 1 | | <# |
| | | 2 | | .SYNOPSIS |
| | | 3 | | Adds HTTP Strict Transport Security (HSTS) middleware to a Kestrun server instance. |
| | | 4 | | .DESCRIPTION |
| | | 5 | | The Add-KrHsts cmdlet configures HTTP Strict Transport Security (HSTS) |
| | | 6 | | for a Kestrun server instance. HSTS is a web security policy mechanism that helps |
| | | 7 | | to protect websites against protocol downgrade attacks and cookie hijacking. |
| | | 8 | | It allows web servers to declare that web browsers (or other complying user agents) |
| | | 9 | | should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. |
| | | 10 | | .PARAMETER Options |
| | | 11 | | A Microsoft.AspNetCore.HttpsPolicy.HstsOptions object that defines the configuration options for |
| | | 12 | | the HSTS middleware. If this parameter is provided, it takes precedence over the individual configuration |
| | | 13 | | parameters (MaxAgeDays, IncludeSubDomains, Preload, ExcludedHosts). |
| | | 14 | | .PARAMETER MaxAgeDays |
| | | 15 | | The maximum duration (in days) that the browser should remember that a site is only to be accessed using HTTPS. |
| | | 16 | | The default value is 30 days. |
| | | 17 | | .PARAMETER IncludeSubDomains |
| | | 18 | | A switch indicating whether the HSTS policy should also apply to all subdomains of the site. |
| | | 19 | | If this switch is present, the IncludeSubDomains directive will be included in the HSTS header. |
| | | 20 | | .PARAMETER Preload |
| | | 21 | | A switch indicating whether the site should be included in browsers' HSTS preload list. |
| | | 22 | | If this switch is present, the Preload directive will be included in the HSTS header. |
| | | 23 | | .PARAMETER ExcludedHosts |
| | | 24 | | An array of hostnames that should be excluded from the HSTS policy. These hosts will not receive the HSTS header |
| | | 25 | | .PARAMETER AllowInDevelopment |
| | | 26 | | A switch that allows HSTS to work in development environments by clearing the default excluded hosts. |
| | | 27 | | By default, ASP.NET Core excludes localhost and development hosts from HSTS for security. |
| | | 28 | | Use this switch to enable HSTS for testing and development scenarios. |
| | | 29 | | .EXAMPLE |
| | | 30 | | Add-KrHsts -MaxAgeDays 60 -IncludeSubDomains -Preload -PassThru |
| | | 31 | | This example adds HSTS middleware to the current Kestrun server instance with a max age of 60 days, |
| | | 32 | | includes subdomains, enables preload, and returns the modified server instance. |
| | | 33 | | .EXAMPLE |
| | | 34 | | Add-KrHsts -MaxAgeDays 30 -IncludeSubDomains -Preload -AllowInDevelopment |
| | | 35 | | This example enables HSTS for development/testing by clearing default excluded hosts. |
| | | 36 | | Useful for testing HSTS behavior in non-production environments. |
| | | 37 | | .EXAMPLE |
| | | 38 | | $options = [Microsoft.AspNetCore.HttpsPolicy.HstsOptions]::new() |
| | | 39 | | $options.MaxAge = [TimeSpan]::FromDays(90) |
| | | 40 | | $options.IncludeSubDomains = $true |
| | | 41 | | Add-KrHsts -Options $options -PassThru |
| | | 42 | | This example creates a HstsOptions object with a max age of 90 days and includes subdomains, |
| | | 43 | | then adds the HSTS middleware to the current Kestrun server instance and returns the modified server instance. |
| | | 44 | | .NOTES |
| | | 45 | | This cmdlet is part of the Kestrun PowerShell module. |
| | | 46 | | #> |
| | | 47 | | function Add-KrHsts { |
| | | 48 | | [KestrunRuntimeApi('Definition')] |
| | | 49 | | [CmdletBinding(defaultParameterSetName = 'Items')] |
| | | 50 | | param( |
| | | 51 | | [Parameter(Mandatory = $true, ParameterSetName = 'Options')] |
| | | 52 | | [Microsoft.AspNetCore.HttpsPolicy.HstsOptions]$Options, |
| | | 53 | | |
| | | 54 | | [Parameter(ParameterSetName = 'Items')] |
| | | 55 | | [ValidateRange(1, [int]::MaxValue)] |
| | | 56 | | [int] $MaxAgeDays = 30, |
| | | 57 | | |
| | | 58 | | [Parameter(ParameterSetName = 'Items')] |
| | | 59 | | [switch] $IncludeSubDomains, |
| | | 60 | | |
| | | 61 | | [Parameter(ParameterSetName = 'Items')] |
| | | 62 | | [switch] $Preload, |
| | | 63 | | |
| | | 64 | | [Parameter(ParameterSetName = 'Items')] |
| | | 65 | | [string[]] $ExcludedHosts, |
| | | 66 | | |
| | | 67 | | [Parameter(ParameterSetName = 'Items')] |
| | | 68 | | [switch] $AllowInDevelopment |
| | | 69 | | ) |
| | | 70 | | # Ensure the server instance is resolved |
| | 0 | 71 | | $Server = Resolve-KestrunServer |
| | | 72 | | |
| | 0 | 73 | | if ($PSCmdlet.ParameterSetName -eq 'Items') { |
| | | 74 | | # Create options from individual parameters |
| | 0 | 75 | | $Options = [Microsoft.AspNetCore.HttpsPolicy.HstsOptions]::new() |
| | | 76 | | # Set default values |
| | 0 | 77 | | $Options.MaxAge = [TimeSpan]::FromDays($MaxAgeDays) |
| | | 78 | | |
| | 0 | 79 | | if ($PSBoundParameters.ContainsKey('IncludeSubDomains')) { $Options.IncludeSubDomains = $IncludeSubDomains.IsPre |
| | 0 | 80 | | if ($PSBoundParameters.ContainsKey('Preload')) { $Options.Preload = $Preload.IsPresent } |
| | | 81 | | |
| | | 82 | | # Handle AllowInDevelopment switch - clears default excluded hosts first |
| | 0 | 83 | | if ($AllowInDevelopment.IsPresent) { |
| | 0 | 84 | | $Options.ExcludedHosts.Clear() |
| | | 85 | | } |
| | | 86 | | |
| | | 87 | | # Add any explicitly specified excluded hosts |
| | 0 | 88 | | if ($PSBoundParameters.ContainsKey('ExcludedHosts')) { |
| | 0 | 89 | | foreach ($h in $ExcludedHosts) { |
| | 0 | 90 | | $Options.ExcludedHosts.Add($h); |
| | | 91 | | } |
| | | 92 | | } |
| | | 93 | | } |
| | | 94 | | |
| | | 95 | | # Add the HTTPS redirection middleware |
| | 0 | 96 | | [Kestrun.Hosting.KestrunHttpMiddlewareExtensions]::AddHsts($Server, $Options) | Out-Null |
| | | 97 | | } |
| | | 98 | | |