Best way in asp net to force https for an entire site

Question

About 6 months ago I rolled out a site where every request needed to be over https   The only way at the time I could find to ensure that every request to a page was over https was to check it in the page load event   If the request was not over http I would response redirect  https   example com    Is there a better way -- ideally some setting in the web config

User · Answer

The IIS7 module will let you redirect        lt rewrite gt           lt rules gt               lt rule name  Redirect HTTP to HTTPS  stopProcessing  true  gt                   lt match url         gt                   lt conditions gt                       lt add input   HTTPS   pattern   OFF    gt                   lt  conditions gt                   lt action type  Redirect  url  https    HTTP HOST   R 1   redirectType  SeeOther   gt               lt  rule gt           lt  rules gt       lt  rewrite gt

User · Answer

The other thing you can do is use HSTS by returning the  Strict-Transport-Security  header to the browser  The browser has to support this  and at present  it s primarily Chrome and Firefox that do   but it means that once set  the browser won t make requests to the site over HTTP and will instead translate them to HTTPS requests before issuing them  Try this in combination with a redirect from HTTP   protected void Application BeginRequest Object sender  EventArgs e      switch  Request Url Scheme          case  https         Response AddHeader  Strict-Transport-Security    max-age 300          break      case  http         var path    https       Request Url Host   Request Url PathAndQuery        Response Status    301 Moved Permanently         Response AddHeader  Location   path         break          Browsers that aren t HSTS aware will just ignore the header but will still get caught by the switch statement and sent over to HTTPS

User · Answer

This is a fuller answer based on  Troy Hunt s  Add this function to your WebApplication class in Global asax cs       protected void Application BeginRequest Object sender  EventArgs e                   Allow https pages in debugging         if  Request IsLocal                        if  Request Url Scheme     http                                 int localSslPort   44362     Your local IIS port for HTTPS                  var path    https       Request Url Host         localSslPort   Request Url PathAndQuery                   Response Status    301 Moved Permanently                   Response AddHeader  Location   path                                   else                       switch  Request Url Scheme                                case  https                       Response AddHeader  Strict-Transport-Security    max-age 31536000                        break                  case  http                       var path    https       Request Url Host   Request Url PathAndQuery                      Response Status    301 Moved Permanently                       Response AddHeader  Location   path                       break                                   To enable SSL on your local build enable it in the Properties dock for the project

User · Answer

-  Simply ADD  RequireHttps  on top of the  public class HomeController          Controller   -  And add   GlobalFilters Filters Add new RequireHttpsAttribute     in  protected void Application Start    method in Global asax cs file   Which forces your entire application to HTTPS

User · Answer

For those using ASP NET MVC  You can use the following to force SSL TLS over HTTPS over the whole site in two ways   The Hard Way  1 - Add the RequireHttpsAttribute to the global filters   GlobalFilters Filters Add new RequireHttpsAttribute       2 - Force Anti-Forgery tokens to use SSL TLS   AntiForgeryConfig RequireSsl   true    3 - Require Cookies to require HTTPS by default by changing the Web config file    lt system web gt       lt httpCookies httpOnlyCookies  true  requireSSL  true    gt   lt  system web gt    4 - Use the NWebSec Owin NuGet package and add the following line of code to enable Strict Transport Security accross the site  Don t forget to add the Preload directive below and submit your site to the HSTS Preload site  More information here and here  Note that if you are not using OWIN  there is a Web config method you can read up on on the NWebSec site      app is your OWIN IAppBuilder app in Startup cs app UseHsts options   gt  options MaxAge days  30  Preload       5 - Use the NWebSec Owin NuGet package and add the following line of code to enable Public Key Pinning  HPKP  across the site  More information here and here      app is your OWIN IAppBuilder app in Startup cs app UseHpkp options   gt  options      Sha256Pins           Base64 encoded SHA-256 hash of your first certificate e g  cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2 soZS7sWs             Base64 encoded SHA-256 hash of your second backup certificate e g  M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE         MaxAge days  30      6 - Include the https scheme in any URL s used  Content Security Policy  CSP  HTTP header and Subresource Integrity  SRI  do not play nice when you imit the scheme in some browsers  It is better to be explicit about HTTPS  e g    lt script src  https   ajax aspnetcdn com ajax bootstrap 3 3 4 bootstrap min js  gt  lt  script gt    The Easy Way  Use the ASP NET MVC Boilerplate Visual Studio project template to generate a project with all of this and much more built in  You can also view the code on GitHub

User · Answer

It also depends on the brand of your balancer  for the web mux  you would need to look for http header X-WebMux-SSL-termination  true to figure that incoming traffic was ssl  details here  http   www cainetworks com support redirect2ssl html

User · Answer

I m going to throw my two cents in  IF you have access to IIS server side  then you can force HTTPS by use of the protocol bindings  For example  you have a website called Blah  In IIS you d setup two sites  Blah  and Blah  Redirect   For Blah only configure the HTTPS binding  and FTP if you need to  make sure to force it over a secure connection as well   For Blah  Redirect  only configure the HTTP binding  Lastly  in the HTTP Redirect section for Blah  Redirect  make sure to set a 301 redirect to https   blah com  with exact destination enabled  Make sure that each site in IIS is pointing to it s own root folder otherwise the Web config will get all screwed up  Also make sure to have HSTS configured on your HTTPSed site so that subsequent requests by the browser are always forced to HTTPS and no redirects occur

User · Answer

For  Joe above   This is giving me a redirect loop  Before I added the code it worked fine  Any suggestions      Joe Nov 8  11 at 4 13   This was happening to me as well and what I believe was happening is that there was a load balancer terminating the SSL request in front of the Web server   So  my Web site was always thinking the request was  http   even if the original browser requested it to be  https    I admit this is a bit hacky  but what worked for me was to implement a  JustRedirected  property that I could leverage to figure out the person was already redirected once   So  I test for specific conditions that warrant the redirect and  if they are met  I set this property  value stored in session  prior to the redirection   Even if the http https conditions for redirection are met the second time  I bypass the redirection logic and reset the  JustRedirected  session value to false   You ll need your own conditional test logic  but here s a simple implementation of the property       public bool JustRedirected               get                       if  Session RosadaConst JUSTREDIRECTED     null                  return false               return  bool Session RosadaConst JUSTREDIRECTED                     set                       Session RosadaConst JUSTREDIRECTED    value

User · Answer

I spent sometime looking for best practice that make sense and found the following which worked perfected for me  I hope this will save you sometime    Using Config file  for example an asp net website  https   blogs msdn microsoft com kaushal 2013 05 22 http-to-https-redirects-on-iis-7-x-and-higher   or on your own server https   www sslshopper com iis7-redirect-http-to-https html   SHORT ANSWER  Simply The code below goes inside     lt system webServer gt     lt rewrite gt        lt rules gt          lt rule name  HTTP S to HTTPS Redirect  enabled  true              stopProcessing  true  gt          lt match url          gt           lt conditions logicalGrouping  MatchAny  gt           lt add input   SERVER PORT SECURE   pattern   0     gt          lt  conditions gt          lt action type  Redirect  url  https    HTTP HOST  REQUEST URI            redirectType  Permanent    gt           lt  rule gt          lt  rules gt    lt  rewrite gt

User · Answer

Please use HSTS  HTTP Strict Transport Security   from http   www hanselman com blog HowToEnableHTTPStrictTransportSecurityHSTSInIIS7 aspx   lt  xml version  1 0  encoding  UTF-8   gt   lt configuration gt       lt system webServer gt           lt rewrite gt               lt rules gt                   lt rule name  HTTP to HTTPS redirect  stopProcessing  true  gt                       lt match url          gt                       lt conditions gt                           lt add input   HTTPS   pattern  off  ignoreCase  true    gt                       lt  conditions gt                       lt action type  Redirect  url  https    HTTP HOST   R 1                           redirectType  Permanent    gt                   lt  rule gt               lt  rules gt               lt outboundRules gt                   lt rule name  Add Strict-Transport-Security when HTTPS  enabled  true  gt                       lt match serverVariable  RESPONSE Strict Transport Security                          pattern        gt                       lt conditions gt                           lt add input   HTTPS   pattern  on  ignoreCase  true    gt                       lt  conditions gt                       lt action type  Rewrite  value  max-age 31536000    gt                   lt  rule gt               lt  outboundRules gt           lt  rewrite gt       lt  system webServer gt   lt  configuration gt    Original Answer  replaced with the above on 4 December 2015   basically  protected void Application BeginRequest Object sender  EventArgs e       if  HttpContext Current Request IsSecureConnection Equals false   amp  amp  HttpContext Current Request IsLocal Equals false            Response Redirect  https       Request ServerVariables  HTTP HOST       HttpContext Current Request RawUrl            that would go in the global asax cs  or global asax vb   i dont know of a way to specify it in the web config

User · Answer

If you are using ASP NET Core you could try out the nuget package SaidOut AspNetCore HttpsWithStrictTransportSecurity   Then you only need to add   app UseHttpsWithHsts HttpsMode AllowedRedirectForGet  configureRoutes  routeAction     This will also add HTTP StrictTransportSecurity header to all request made using https scheme   Example code and documentation https   github com saidout saidout-aspnetcore-httpswithstricttransportsecurity example-code

User · Answer

What you need to do is    1  Add a key inside  of web config  depending upon the production or stage server like below   lt add key  HttpsServer  value  stage   gt               or  lt add key  HttpsServer  value  prod   gt    2  Inside your Global asax file add below method   void Application BeginRequest Object sender  EventArgs e          if  ConfigurationManager AppSettings  HttpsServer   ToString       prod       if  ConfigurationManager AppSettings  HttpsServer   ToString       stage                 if   HttpContext Current Request IsSecureConnection                        if   Request Url GetLeftPart UriPartial Authority  Contains  www                                  HttpContext Current Response Redirect                      Request Url GetLeftPart UriPartial Authority  Replace  http       https   www     true                             else                               HttpContext Current Response Redirect                      Request Url GetLeftPart UriPartial Authority  Replace  http       https       true

User · Answer

In IIS10  Windows 10 and Server 2016   from version 1709 onwards  there is a new  simpler option for enabling HSTS for a website    Microsoft describe the advantages of the new approach here  and provide many different examples of how to implement the change programmatically or by directly editing the ApplicationHost config file  which is like web config but operates at the IIS level  rather than individual site level   ApplicationHost config can be found in C  Windows System32 inetsrv config   I ve outlined two of the example methods here to avoid link rot   Method 1 - Edit the ApplicationHost config file directly Between the  lt site gt  tags  add this line    lt hsts enabled  true  max-age  31536000  includeSubDomains  true  redirectHttpToHttps  true    gt    Method 2 - Command Line  Execute the following from an elevated command prompt  i e  right mouse on CMD and run as administrator   Remember to swap Contoso with the name of your site as it appears in IIS Manager   c  cd C  WINDOWS system32 inetsrv  appcmd exe set config -section system applicationHost sites    name  Contoso   hsts enabled True   commit apphost appcmd exe set config -section system applicationHost sites    name  Contoso   hsts max-age 31536000   commit apphost appcmd exe set config -section system applicationHost sites    name  Contoso   hsts includeSubDomains True   commit apphost appcmd exe set config -section system applicationHost sites    name  Contoso   hsts redirectHttpToHttps True   commit apphost   The other methods Microsoft offer in that articles might be better options if you are on a hosted environment where you have limited access   Keep in mind that IIS10 version 1709 is available on Windows 10 now  but for Windows Server 2016 it is on a different release track  and won t be released as a patch or service pack   See here for details about 1709

User · Answer

If you are unable to set this up in IIS for whatever reason  I d make an HTTP module that does the redirect for you   using System  using System Web   namespace HttpsOnly            lt summary gt          Redirects the Request to HTTPS if it comes in on an insecure channel           lt  summary gt      public class HttpsOnlyModule   IHttpModule               public void Init HttpApplication app                           Note we cannot trust IsSecureConnection when                 in a webfarm  because usually only the load balancer                 will come in on a secure port the request will be then                 internally redirected to local machine on a specified port                  Move this to a config file  if your behind a farm                  set this to the local port used internally              int specialPort   443               if   app Context Request IsSecureConnection                    app Context Request Url Port    specialPort                               app Context Response Redirect  https                          app Context Request ServerVariables  HTTP HOST                        app Context Request RawUrl                                        public void Dispose                            Needed for IHttpModule                     Then just compile it to a DLL  add it as a reference to your project and place this in web config     lt httpModules gt         lt add name  HttpsOnlyModule  type  HttpsOnly HttpsOnlyModule  HttpsOnly    gt    lt  httpModules gt

User · Answer

If SSL support is not configurable in your site  ie  should be able to turn https on off  - you can use the  RequireHttps  attribute on any controller   controller action you wish to secure

[c#] Best way in asp.net to force https for an entire site?

Examples related to c#

Examples related to asp.net

Examples related to vb.net

Examples related to webforms

Examples related to https