Reconsider default HSTS max-age value

Currently, the default value for HTTP Strict Transport Security (HSTS) max-age is set to 30 days.

aspnetcore/src/Middleware/HttpsPolicy/src/HstsOptions.cs

Line 18 in 410efd4

public TimeSpan MaxAge { get; set; } = TimeSpan.FromDays(30);

According to hstspreload.org, it is recommended that the minimum value should be at least 1 year, with a preferable value of 2 years.

The current default value may not align with modern security best practices, and it might be beneficial to reconsider it.

I propose that we reconsider the default value and update it to a more secure and recommended value, such as 1 year.

Also, setting a longer default max-age value will avoid additional configuration, as it is very common to reconfigure this value as follows:

builder.Services.AddHsts(options =>
{
    options.MaxAge = TimeSpan.FromDays(365); // Common practice to set it to 1 year or more
});

[adityamandaleeka]

@blowdart What do you think?

[blowdart]

We do, or did, document that setting as needing adjusting for production. The default value was a compromise between production and "oh no I locked myself out of dev and local host".

If those code comments are there any more, put them back. Using a production value in dev can end in sadness.

[adityamandaleeka]

I don't see any comments in the docs about it. BTW I'm not sure I understand why 30 days is any better than one year for that situation... seems just as painful if you accidentally get hit by it when you weren't meaning to?

If one were to find themselves in this situation, reducing the max-age and clearing their browser's HSTS settings (globally or for the specific site) would be the fix right?

[blowdart]

Yea. But when we added it the instructions for clearing the HSTS entry for a site were hard to find.

Heck they're still hard to find, especially if you don't know what HSTS is.