Web Security: Why do we need http header "Strict-Transport-Security"?

Web Security: Why do we need to use http header "Strict-Transport-Security"? It is possible that a web site can allow user to access it via HTTP and HTTPS both. In this case user can browse the web site either using Http or using https, we can enforce the connection to use https instead of http by adding HSTS (HTTP Strict-Transport-Security ) policy in web site response header. This header tells browser to use Https even though the user is trying to access it through http. Lets achieve this in following way -

Add the below header in your web site response header -

Strict-Transport-Security: max-age=<expiry-time in seconds>; includeSubDomains; preload

• max-age=<expiry-time in seconds>: Browser remember this expiry time, this can be any duration in second for days, months or years.
  
• includeSubDomains[optional]: This is optional directive, its presence in this header tells browser to apply the same rule (hsts rule) for sub domains as well.
  
• preload[optional]: This is optional and is not the part of the specification.
  

Technical Implementation:

• In ASP.Net Core
  Use any of the below approach to implement hsts.
  Approach 1: Use inbuild Hsts middleware(default configuration). This implementation has the 30 days value into max-age parameter by default
  
  public void Configure(IApplicationBuilder app, IHostingEnvironment env) {
  app.UseHsts(); }
  
  If you want to override the default setting, add below configuration as well
  public void ConfigureServices(IServiceCollection services)
  {
    services.AddHsts(options=>{
         options.Preload = true;
         options.MaxAge= TimeSpan.FromDays(365);//for one years
         options.IncludeSubDomains = true;
         options.ExcludedHosts.Add("example.com");
         options.ExcludedHosts.Add("www.example.com");
     });
    services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
  }
  
  Approach 2: Add it manually in response header as below
  
  public void Configure(IApplicationBuilder app, IHostingEnvironment env)
  {
     app.Use(async( context, next)=>
     {
         context.Response.Headers.Add("Access-Control-Allow-Origin","http://localhost:4200");
         context.Response.Headers.Add("Strict-Transport-Security","max-age=86400;includeSubDomains;preload");
         await next.Invoke();
     });
     app.UseMvc();
  }
  
• In ASP.Net
  Add the custom header in web.config as below to implement hsts in ASP.Net and MVC
  <system.webServer >
    <httpProtocol >
      <customHeaders >
        <add name="Strict-Transport-Security" value="max-age=31536000" / >
      </customHeaders >
    </httpProtocol >
  </system.webServer >
  

Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

Benefit of Hsts policy

It helps in minimizing the man-in-the-middle-attack till some extends. See the below example scenario described on https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security#Preloading_Strict_Transport_Security

Example Scenario:

You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you're using is actually a hacker's laptop, and they're intercepting your original HTTP request and redirecting you to a clone of your bank's site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem; as long as you've accessed your bank's web site once using HTTPS, and the bank's web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.