What is the difference between UseHttpsRedirection and UseHsts

UseHsts adds the Strict-Transport-Security header to the response, which informs the browser that the application must only be accessed with HTTPS. After this declaration, compliant browsers should automatically convert any http request of the application into an HTTPS request.

UseHttpsRedirection causes an automatic redirection to HTTPS URL when an HTTP URL is received, in a way that forces a secure connection.

Once the first HTTPS secure connection is established, the strict-security header prevents future redirections that might be used to perform man-in-the-middle attacks.

I don't think it is a trivial concept. None of the answers already written does satisfy me. Here is my deductions after reading some articles.

HSTS is abbreviation of Strict-Transport-Security header in HTTP protocol. It informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. Using HSTS, the browser will call your application using HTTP only the very first time. The subsequent requests against the same domain will be made using the HTTPS protocol, even in the presence of a URL using the HTTP scheme.

The protection only applies after a user has visited the site at least once, relying on the principle of "trust on first use". The way this protection works is that a user entering or selecting a URL to the site that specifies HTTP, will automatically upgrade to HTTPS, without making an HTTP request, which prevents the HTTP man-in-the-middle attack from occurring.

HSTS is not guaranteed, it may not be supported by your client. It also requires at least one successful HTTPS request to establish the HSTS policy. HSTS is a client side performance optimization to avoid an extra request to the server.

UseHttpsRedirection middleware redirects incoming HTTP requests to HTTPS, ensuring that all communication between the client and server is encrypted. It does redirect to https if properly configured. The risk is that the client may have sent sensitive data on that initial request. HSTS will prevent such leaks in the future, but cannot protect the first request.

I like answers on here as well.

The UseHttpsRedirection must be called with care and should not be always recommended. In cases where the app is not exposed directly but instead, is behind a reverse proxy, it is a common configuration to have HTTPS between the client and the reverse proxy and HTTP from reverse proxy down to the actual app.

In such configuration, calling UseHttpsRedirection could cause issues as the .NET core app would incorrectly redirect calls from the reverse proxy server.

The MSDN page linked in other answers contain a clear and correct information about this particular scenario and anyone following the recommendation should also take this additional information into account.

Apps deployed in a reverse proxy configuration allow the proxy to handle connection security (HTTPS). If the proxy also handles HTTPS redirection, there's no need to use HTTPS Redirection Middleware.