ASP .NET Core no HSTS header in response headers

Question

In my appsettings.json i added this line of code:

"Hsts": {
    "HstsEnable": true
 }

In launchSettings.json i added https://localhost:5000:

"applicationUrl": "http://localhost:5001;https://localhost:5000"

Then, in Program.cs i used this urls:

 return WebHost.CreateDefaultBuilder(args)
            .UseKestrel(x => x.AddServerHeader = false)
            .UseUrls("http://localhost:5001", "https://localhost:5000")
            .UseStartup<Startup>()

In startup class, in Configure method im getting Hsts value from appSettings.json:

if (Configuration.GetSection("Hsts").GetValue<bool>("HstsEnable"))
{
    app.UseHsts();
}

app.UseHttpsRedirection();

After all this steps i cant get Strict-Transport-Security. All i get from response headers are:

 cache-control: no-store,no-cache 
 content-type: application/json; charset=utf-8 
 pragma: no-cache 

The Hsts cutted headers from response. Without all this lines of code (to set up hsts in my app) on top i get this response headers:

access-control-allow-credentials: true 
access-control-allow-origin: * 
access-control-expose-headers: Content-Disposition 
cache-control: no-store,no-cache 
content-type: application/json; charset=utf-8 
date: Fri, 11 Oct 2019 09:21:30 GMT 
pragma: no-cache 
transfer-encoding: chunked 
vary: Origin 
x-frame-options: DENY 
x-stackifyid: id

So something is wrong on this Hsts.

How to add HSTS header in response headers, that i mentioned above? Do i need to hardcode header to my Configure method?

context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000");

Answer 1

From the official documentation on HTTP Strict Transport Security Protocol (HSTS)

UseHsts excludes the following loopback hosts:

• localhost : The IPv4 loopback address.

• 127.0.0.1 : The IPv4 loopback address.

• [::1] : The IPv6 loopback address.

You could try to publish the web app and check the header Strict-Transport-Security.