AspNetCore.Docs/aspnetcore/security/enforcing-ssl.md

---
title: Enforce HTTPS in an ASP.NET Core
author: rick-anderson
description: Shows how to require HTTPS/TLS in a ASP.NET Core web app.
manager: wpickett
ms.author: riande
ms.date: 2/9/2018
ms.prod: asp.net-core
ms.technology: aspnet
ms.topic: article
uid: security/enforcing-ssl
---
# Enforce HTTPS in an ASP.NET Core

By [Rick Anderson](https://twitter.com/RickAndMSFT)

This document shows how to:

- Require HTTPS for all requests.
- Redirect all HTTP requests to HTTPS.

> [!WARNING]
> Do **not** use `RequireHttpsAttribute` on Web APIs that receive sensitive information. `RequireHttpsAttribute` uses HTTP status codes to redirect browsers from HTTP to HTTPS. API clients may not understand or obey redirects from HTTP to HTTPS. Such clients may send information over HTTP. Web APIs should either:
>
>* Not listen on HTTP.
>* Close the connection with status code 400 (Bad Request) and not serve the request.

## Require HTTPS

The [RequireHttpsAttribute](/dotnet/api/Microsoft.AspNetCore.Mvc.RequireHttpsAttribute) is used to require HTTPS. `[RequireHttpsAttribute]` can decorate controllers or methods, or can be applied globally. To apply the attribute globally, add the following code to `ConfigureServices` in `Startup`:

[!code-csharp[](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-999)]

The preceding highlighted code requires all requests use `HTTPS`; therefore, HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

[!code-csharp[](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=7-999)]

For more information, see [URL Rewriting Middleware](xref:fundamentals/url-rewriting).

Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) is a security best practice. Applying the
`[RequireHttps]` attribute to all controllers/Razor Pages isn't considered as secure as requiring HTTPS globally. You can't guarantee the `[RequireHttps]` attribute is applied when new controllers and Razor Pages are added.
Add docfx content 2016-10-29 01:35:15 +08:00			`---`
Title, description, and H1 updates (4) (#5745) * Title, description, and H1 updates (4) * Updates * Updates * Drop gerunds and update link text * Update * Update next.md * Update routing.md 2018-03-22 08:18:35 +08:00			`title: Enforce HTTPS in an ASP.NET Core`
Add docfx content 2016-10-29 01:35:15 +08:00			`author: rick-anderson`
warn about RequireHttpsAttribute with Web APIs (#5381) * warn about RequireHttpsAttribute with Web APIs * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * react 2 blowdart * react 2 blowdart 2018-02-08 06:26:29 +08:00			`description: Shows how to require HTTPS/TLS in a ASP.NET Core web app.`
Add docfx content 2016-10-29 01:35:15 +08:00			`manager: wpickett`
Organize metadata (#5296) Updates 2018-01-29 23:21:31 +08:00			`ms.author: riande`
warn about RequireHttpsAttribute with Web APIs (#5381) * warn about RequireHttpsAttribute with Web APIs * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * react 2 blowdart * react 2 blowdart 2018-02-08 06:26:29 +08:00			`ms.date: 2/9/2018`
Bulk metadata fix (#2871) * meta data fix * Revert "meta data fix" This reverts commit ba3688347667594a0967b08196cbb5308500a217. * meta data fix2 * test * Update owin-oauth-20-authorization-server.md * Update api-ref.md * Update api-ref.md * test * test2 2017-03-03 08:50:36 +08:00			`ms.prod: asp.net-core`
Organize metadata (#5296) Updates 2018-01-29 23:21:31 +08:00			`ms.technology: aspnet`
			`ms.topic: article`
Add docfx content 2016-10-29 01:35:15 +08:00			`uid: security/enforcing-ssl`
			`---`
Title, description, and H1 updates (4) (#5745) * Title, description, and H1 updates (4) * Updates * Updates * Drop gerunds and update link text * Update * Update next.md * Update routing.md 2018-03-22 08:18:35 +08:00			`# Enforce HTTPS in an ASP.NET Core`
Add docfx content 2016-10-29 01:35:15 +08:00
Update enforcing-ssl.md 2017-07-19 06:01:43 +08:00			`By [Rick Anderson](https://twitter.com/RickAndMSFT)`

move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00			`This document shows how to:`

warn about RequireHttpsAttribute with Web APIs (#5381) * warn about RequireHttpsAttribute with Web APIs * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * react 2 blowdart * react 2 blowdart 2018-02-08 06:26:29 +08:00			`- Require HTTPS for all requests.`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00			`- Redirect all HTTP requests to HTTPS.`

warn about RequireHttpsAttribute with Web APIs (#5381) * warn about RequireHttpsAttribute with Web APIs * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * react 2 blowdart * react 2 blowdart 2018-02-08 06:26:29 +08:00			`> [!WARNING]`
			> Do not use `RequireHttpsAttribute` on Web APIs that receive sensitive information. `RequireHttpsAttribute` uses HTTP status codes to redirect browsers from HTTP to HTTPS. API clients may not understand or obey redirects from HTTP to HTTPS. Such clients may send information over HTTP. Web APIs should either:
			`>`
			`>* Not listen on HTTP.`
			`>* Close the connection with status code 400 (Bad Request) and not serve the request.`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00
warn about RequireHttpsAttribute with Web APIs (#5381) * warn about RequireHttpsAttribute with Web APIs * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * react 2 blowdart * react 2 blowdart 2018-02-08 06:26:29 +08:00			`## Require HTTPS`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00
warn about RequireHttpsAttribute with Web APIs (#5381) * warn about RequireHttpsAttribute with Web APIs * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * react 2 blowdart * react 2 blowdart 2018-02-08 06:26:29 +08:00			The [RequireHttpsAttribute](/dotnet/api/Microsoft.AspNetCore.Mvc.RequireHttpsAttribute) is used to require HTTPS. `[RequireHttpsAttribute]` can decorate controllers or methods, or can be applied globally. To apply the attribute globally, add the following code to `ConfigureServices` in `Startup`:
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00
Drop [Main] from snippet references (#5547) 2018-02-25 00:08:11 +08:00			`[!code-csharp[](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-999)]`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00
warn about RequireHttpsAttribute with Web APIs (#5381) * warn about RequireHttpsAttribute with Web APIs * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * react 2 blowdart * react 2 blowdart 2018-02-08 06:26:29 +08:00			The preceding highlighted code requires all requests use `HTTPS`; therefore, HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00
Drop [Main] from snippet references (#5547) 2018-02-25 00:08:11 +08:00			`[!code-csharp[](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=7-999)]`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00
warn about RequireHttpsAttribute with Web APIs (#5381) * warn about RequireHttpsAttribute with Web APIs * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * react 2 blowdart * react 2 blowdart 2018-02-08 06:26:29 +08:00			`For more information, see [URL Rewriting Middleware](xref:fundamentals/url-rewriting).`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00
warn about RequireHttpsAttribute with Web APIs (#5381) * warn about RequireHttpsAttribute with Web APIs * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * luke feedback * react 2 blowdart * react 2 blowdart 2018-02-08 06:26:29 +08:00			Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) is a security best practice. Applying the
Title, description, and H1 updates (4) (#5745) * Title, description, and H1 updates (4) * Updates * Updates * Drop gerunds and update link text * Update * Update next.md * Update routing.md 2018-03-22 08:18:35 +08:00			`[RequireHttps]` attribute to all controllers/Razor Pages isn't considered as secure as requiring HTTPS globally. You can't guarantee the `[RequireHttps]` attribute is applied when new controllers and Razor Pages are added.