BUG: HSTS stopped working.

[cr3wdayt5p]

We enabled HSTS around 2024-08-29 but now (2024-10-10) it is no longer working. The header is no longer sent. This applies to both the *.azurewebsites.net domain and our custom domain.

We have made no other configuration changes in this period.

host.json:

{
    "version": "2.0",
    ...
    "extensions": {
        ...
        "http": {
            "hsts": {
                "isEnabled": true,
                "maxAge": "730",
                "includeSubDomains": true,
                "preload": true
            }
        }
    }
}

Runtime Stack: DOTNET-ISOLATED|8.0
Runtime Version: 4.1036.2.2
OS: Linux
Plan: Premium V3 (App Service Plan)
Region: North Europe

Docs for the HSTS setting can be found here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp#hostjson-settings

[bhagyshricompany]

Hi @cr3wdayt5p Thanks for reporting there may be this reason.
If you're using a custom domain, double-check that your SSL certificate bindings are still in place and valid. HSTS requires a valid SSL certificate. If the certificate expired or was removed, the HSTS header won't be sent.

[cr3wdayt5p]

Hi @bhagyshricompany

The certificate is assigned by Azure and is still valid (expiration 2025-01-23). The custom domain binding has also not been touched and is valid (see image).

[cr3wdayt5p]

My guess is that your bug is related to either the App Service Environment plan or to the Linux host.

We have another Azure Function running on the Dynamic plan on a Windows host in the same region (North Europe) with identical HSTS configuration – and this works. That host is also running a slightly newer runtime (4.1036.3.23284).

[bhagyshricompany]

will check and update.

[cr3wdayt5p]

please ref this doc .https://learn.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-8.0&source=recommendations&tabs=visual-studio%2Clinux-ubuntu%2Clinux-sles

Why? What would I be looking for there? You are linking to some ASP.NET thing – which does not appear to be related to Azure Functions at all.

The documentation for HSTS setup for Azure Functions is here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook?tabs=isolated-process%2Cfunctionsv2&pivots=programming-language-csharp
And it is quite simple – and it used to work – but now it has stopped working due some apparent bug on the Azure side.

[bhagyshricompany]

please provide your code for azure fuc and sdk version you have used.Thanks

[cr3wdayt5p]

Our code contains nothing fancy regarding the setup. When our stuff is filtered out it is basically the default template.

host.json: See above.

OurProjectName.fsproj:

<?xml version="1.0" encoding="utf-8"?>
<Project Sdk="Microsoft.NET.Sdk">
    <PropertyGroup>
        <TargetFramework>net8.0</TargetFramework>
        <AzureFunctionsVersion>v4</AzureFunctionsVersion>
        <OutputType>Exe</OutputType>
    </PropertyGroup>
    <ItemGroup>
        <None Include="host.json">
            <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
        </None>
    </ItemGroup>
    <ItemGroup>
        <!-- ... -->
        <Compile Include="Functions.fs" />
        <Compile Include="Program.fs" />
    </ItemGroup>
    <ItemGroup>
        <PackageReference Update="FSharp.Core" Version="8.0.403" />
        <PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.23.0" />
        <PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="2.0.0" />
        <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.2.0" />
        <!-- ... -->
    </ItemGroup>
</Project>

Program.fs:

module OurProjectName.Program

open Microsoft.Extensions.Hosting

[<EntryPoint>]
HostBuilder().ConfigureFunctionsWorkerDefaults().Build().Run ()

Functions.fs:

namespace OurProjectName

open System
open System.Threading.Tasks
open Microsoft.Azure.Functions.Worker
open Microsoft.Azure.Functions.Worker.Http
open Microsoft.Extensions.Logging

// ...


type Functions (logger : ILogger<unit>) =
    [<Function("Ping")>]
    member _.Ping ([<HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "ping")>] req : HttpRequestData, funcCtx : FunctionContext) =
        async {
            let resp = req.CreateResponse System.Net.HttpStatusCode.OK
            do resp.WriteString "pong"
            return resp
        }
        |> Async.StartAsTask

    // ...

Everything works as expected except for HSTS.

[bhagyshricompany]

H @cr3wdayt5p Thanks for your input will check and update you.Thanks

[bhagyshricompany]

HSTS headers will only work if the client accesses the app over HTTPS. If a client attempts to use HTTP and redirection is not enforced, the HSTS headers will not be received. please check the same.Thanks

[cr3wdayt5p]

I only test over HTTPS.

And our app has this setting:

[cr3wdayt5p]

It looks like your team has fixed the bug 🎉

The HSTS header is back :)

It took a while – but thank you.

We did not change anything.

[bhagyshricompany]

Thanks for update.