How to force HTTPS using a web config file

Question

I have searched around Google and StackOverflow trying to find a solution to this  but they all seem to relate to ASP NET etc   I usually run Linux on my servers but for this one client I am using Windows with IIS 7 5  and Plesk 10   This being the reason why I am slightly unfamiliar with IIS and web config files  In an  htaccess file you can use rewrite conditions to detect whether the protocol is HTTPS and redirect accordingly  Is there a simple way to achieve this using a web config file  or even using the  URL Rewrite  module that I have installed   I have no experience with ASP NET so if this is involved in the solution then please include clear steps of how to implement   The reason for me doing this with the web config and not PHP is that I would like to force HTTPS on all assets within the site

User · Answer

To augment LazyOne s answer  here is an annotated version of the answer    lt rewrite gt     lt rules gt        lt clear   gt        lt rule name  Redirect all requests to https  stopProcessing  true  gt          lt match url          gt            lt conditions logicalGrouping  MatchAll  gt              lt add input   HTTPS   pattern  off  ignoreCase  true    gt            lt  conditions gt            lt action              type  Redirect  url  https    HTTP HOST  REQUEST URI                redirectType  Permanent  appendQueryString  false    gt        lt  rule gt     lt  rules gt   lt  rewrite gt    Clear all the other rules that might already been defined on this server  Create a new rule  that we will name  Redirect all requests to https   After processing this rule  do not process any more rules  Match all incoming URLs  Then check whether all of these other conditions are true  HTTPS is turned OFF  Well  that s only one condition  but make sure it s true   If it is  send a 301 Permanent redirect back to the client at http   www foobar com whatever else the url-contains  Don t add the query string at the end of that  because it would duplicate the query string    This is what the properties  attributes  and some of the values mean    clear removes all server rules that we might otherwise inherit  rule defines a rule     name an arbitrary  though unique  name for the rule   stopProcessing whether to forward the request immediately to the IIS request pipeline or first to process additional rules    match when to run this rule    url a pattern against which to evaluate the URL  conditions additional conditions about when to run this rule  conditions are processed only if there is first a match    logicalGrouping whether all the conditions must be true  MatchAll  or any of the conditions must be true  MatchAny   similar to AND vs OR    add adds a condition that must be met     input the input that a condition is evaluating  input can be server variables   pattern the standard against which to evaluate the input   ignoreCase whether capitalization matters or not    action what to do if the match and its conditions are all true    type can generally be redirect  client-side  or rewrite  server-side    url what to produce as a result of this rule  in this case  concatenate https    with two server variables  redirectType what HTTP redirect to use  this one is a 301 Permanent   appendQueryString whether to add the query string at the end of the resultant url or not  in this case  we are setting it to false  because the  REQUEST URI  already includes it     The server variables are     HTTPS  which is either OFF or ON    HTTP HOST  is www mysite com  and   REQUEST URI  includes the rest of the URI  e g   home key value   the browser handles the  fragment  see comment from LazyOne      See also  https   www iis net learn extensions url-rewrite-module url-rewrite-module-configuration-reference

User · Answer

For those using ASP NET MVC  You can use the RequireHttpsAttribute to force all responses to be HTTPS   GlobalFilters Filters Add new RequireHttpsAttribute       Other things you may also want to do to help secure your site    Force Anti-Forgery tokens to use SSL TLS   AntiForgeryConfig RequireSsl   true   Require Cookies to require HTTPS by default by changing the Web config file    lt system web gt       lt httpCookies httpOnlyCookies  true  requireSSL  true    gt   lt  system web gt   Use the NWebSec Owin NuGet package and add the following line of code to enable Strict Transport Security  HSTS  across the site  Don t forget to add the Preload directive below and submit your site to the HSTS Preload site  More information here and here  Note that if you are not using OWIN  there is a Web config method you can read up on on the NWebSec site      app is your OWIN IAppBuilder app in Startup cs app UseHsts options   gt  options MaxAge days  720  Preload      Use the NWebSec Owin NuGet package and add the following line of code to enable Public Key Pinning  HPKP  across the site  More information here and here      app is your OWIN IAppBuilder app in Startup cs app UseHpkp options   gt  options      Sha256Pins           Base64 encoded SHA-256 hash of your first certificate e g  cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2 soZS7sWs             Base64 encoded SHA-256 hash of your second backup certificate e g  M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE         MaxAge days  30     Include the https scheme in any URL s used  Content Security Policy  CSP  HTTP header and Subresource Integrity  SRI  do not play nice when you imit the scheme in some browsers  It is better to be explicit about HTTPS  e g    lt script src  https   ajax aspnetcdn com ajax bootstrap 3 3 4 bootstrap min js  gt   lt  script gt   Use the ASP NET MVC Boilerplate Visual Studio project template to generate a project with all of this and much more built in  You can also view the code on GitHub

User · Answer

I was not allowed to install URL Rewrite in my environment  so  I found another path  Adding this to my web config added the error rewrite and worked on IIS 7 5   lt system webServer gt       lt httpErrors errorMode  quot Custom quot  defaultResponseMode  quot File quot  defaultPath  quot C  WebSites yoursite  quot   gt           lt remove statusCode  quot 403 quot  subStatusCode  quot 4 quot    gt       lt error statusCode  quot 403 quot  subStatusCode  quot 4 quot  responseMode  quot File quot  path  quot redirectToHttps html quot    gt   lt  httpErrors gt   Then  following the advice here  https   www sslshopper com iis7-redirect-http-to-https html I configured the IIS website to require SSL and created the html file that does the redirect  redirectToHttps html  upon the 403  Forbidden  error   lt html gt   lt head gt  lt title gt Redirecting    lt  title gt  lt  head gt   lt script language  quot JavaScript quot  gt  function redirectHttpToHttps         var httpURL  window location hostname   window location pathname   window location search      var httpsURL   quot https    quot    httpURL      window location   httpsURL    redirectHttpToHttps     lt  script gt   lt body gt   lt  body gt   lt  html gt   I hope someone finds this useful as I could not find all of the pieces in one place anywhere else

User · Answer

The accepted answer did not work for me  I followed the steps on this blog   A key point that was missing for me was that I needed to download and install the URL Rewrite Tool for IIS  I found it here  The result was the following     lt rewrite gt           lt rules gt               lt remove name  Http to Https    gt               lt rule name  Http to Https  enabled  true  patternSyntax  Wildcard  stopProcessing  true  gt                   lt match url       gt                   lt conditions gt                       lt add input   HTTPS   pattern  off    gt                   lt  conditions gt                   lt serverVariables   gt                   lt action type  Redirect  url  https    HTTPS HOST  REQUEST URI     gt               lt  rule gt           lt  rules gt       lt  rewrite gt

User · Answer

A simple way is to tell IIS to send your custom error file for HTTP requests  The file can then contain a meta redirect  a JavaScript redirect and instructions with link  etc    Importantly  you can still check  Require SSL  for the site  or folder  and this will work    lt  configuration gt   lt  system webServer gt       lt httpErrors gt           lt clear  gt           lt  --redirect if connected without SSL-- gt           lt error statusCode  403  subStatusCode  4  path  errors 403 4 requiressl html  responseMode  File   gt       lt  httpErrors gt   lt  system webServer gt   lt  configuration gt

User · Answer

In  Net Core  follow the instructions at https   docs microsoft com en-us aspnet core security enforcing-ssl  In your startup cs add the following      Requires using Microsoft AspNetCore Mvc  public void ConfigureServices IServiceCollection services        services Configure lt MvcOptions gt  options   gt                options Filters Add new RequireHttpsAttribute             enter code here    To redirect Http to Https  add the following in the startup cs     Requires using Microsoft AspNetCore Rewrite  public void Configure IApplicationBuilder app  IHostingEnvironment env  ILoggerFactory loggerFactory        loggerFactory AddConsole Configuration GetSection  Logging         loggerFactory AddDebug         var options   new RewriteOptions           AddRedirectToHttps         app UseRewriter options

User · Answer

You need URL Rewrite module  preferably v2  I have no v1 installed  so cannot guarantee that it will work there  but it should    Here is an example of such web config -- it will force HTTPS for ALL resources  using 301 Permanent Redirect     lt  xml version  1 0  encoding  UTF-8   gt   lt configuration gt       lt system webServer gt           lt rewrite gt               lt rules gt                   lt clear   gt                   lt rule name  Redirect to https  stopProcessing  true  gt                       lt match url        gt                       lt conditions gt                           lt add input   HTTPS   pattern  off  ignoreCase  true    gt                       lt  conditions gt                       lt action type  Redirect  url  https    HTTP HOST  REQUEST URI   redirectType  Permanent  appendQueryString  false    gt                   lt  rule gt               lt  rules gt           lt  rewrite gt       lt  system webServer gt   lt  configuration gt    P S  This particular solution has nothing to do with ASP NET PHP or any other technology as it s done using URL rewriting module only -- it is processed at one of the initial lower levels -- before request gets to the point where your code gets executed

User · Answer

I am using below code and it perfect works for me  hope it will help you   lt configuration gt   lt system webServer gt       lt rewrite gt           lt rules gt               lt rule name  quot Force redirect to https quot  stopProcessing  quot true quot  gt                   lt match url  quot      quot    gt                   lt conditions gt                       lt add input  quot  HTTPS  quot  pattern  quot  OFF  quot    gt                   lt  conditions gt                   lt action type  quot Redirect quot  url  quot https    HTTP HOST  REQUEST URI  quot  appendQueryString  quot false quot    gt               lt  rule gt           lt  rules gt       lt  rewrite gt   lt  system webServer gt

User · Answer

The excellent NWebsec library can upgrade your requests from HTTP to HTTPS using its upgrade-insecure-requests tag within the Web config    lt nwebsec gt     lt httpHeaderSecurityModule gt       lt securityHttpHeaders gt         lt content-Security-Policy enabled  true  gt           lt upgrade-insecure-requests enabled  true     gt         lt  content-Security-Policy gt       lt  securityHttpHeaders gt     lt  httpHeaderSecurityModule gt   lt  nwebsec gt

[c#] How to force HTTPS using a web.config file

Examples related to c#

Examples related to asp.net

Examples related to iis

Examples related to https

Examples related to web-config