AspNetCore.Docs/aspnetcore/security/enforcing-ssl.md

---
title: Enforcing SSL in an ASP.NET Core app
author: rick-anderson
description: Shows how to require SSL in a web app and how to set IIS Express to use SSL
keywords: ASP.NET Core, SSL, HTTPS, RequireHttpsAttribute, IIS Express
ms.author: riande
manager: wpickett
ms.date: 03/19/2017
ms.topic: article
ms.assetid: 4694e563-e91a-4ecd-b7ed-00b3f1eee2b5
ms.technology: aspnet
ms.prod: asp.net-core
uid: security/enforcing-ssl
---
# Enforcing SSL in an ASP.NET Core app

This document shows how to:

- Require SSL for all requests (HTTPS requests only).
- Redirect all HTTP requests to HTTPS.
- Set up IIS Express to use SSL/HTTPS.

## Require SSL

The [RequireHttpsAttribute](https://docs.microsoft.com/aspnet/core/api/microsoft.aspnetcore.mvc.requirehttpsattribute) is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:

Add the following code to `ConfigureServices` in `Startup`:

[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-)]

The highlighted code above requires all requests use `HTTPS`, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=6-)]

See [URL Rewriting Middleware](xref:fundamentals/url-rewriting) for more information.

Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) is a security best practice. Applying the `[RequireHttps]` to controllers has the drawback that you're not guaranteed new controllers added to you project will get this protection.

## Set up IIS Express for SSL/HTTPS

   * In Solution Explorer, right click the project and select **Properties**.
   * On the left pane, select **Debug**.
   * Check **Enable SSL**
   * Copy the SSL URL and paste it into the **App URL**

![Debug tab of web application properties](enforcing-ssl/_static/ssl.png)
Add docfx content 2016-10-29 01:35:15 +08:00			`---`
remove \| MS Docs (#3612) 2017-07-01 07:47:15 +08:00			`title: Enforcing SSL in an ASP.NET Core app`
Add docfx content 2016-10-29 01:35:15 +08:00			`author: rick-anderson`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00			`description: Shows how to require SSL in a web app and how to set IIS Express to use SSL`
			`keywords: ASP.NET Core, SSL, HTTPS, RequireHttpsAttribute, IIS Express`
Add docfx content 2016-10-29 01:35:15 +08:00			`ms.author: riande`
			`manager: wpickett`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00			`ms.date: 03/19/2017`
Add docfx content 2016-10-29 01:35:15 +08:00			`ms.topic: article`
			`ms.assetid: 4694e563-e91a-4ecd-b7ed-00b3f1eee2b5`
title + meta on technology 2016-11-17 08:24:57 +08:00			`ms.technology: aspnet`
Bulk metadata fix (#2871) * meta data fix * Revert "meta data fix" This reverts commit ba3688347667594a0967b08196cbb5308500a217. * meta data fix2 * test * Update owin-oauth-20-authorization-server.md * Update api-ref.md * Update api-ref.md * test * test2 2017-03-03 08:50:36 +08:00			`ms.prod: asp.net-core`
Add docfx content 2016-10-29 01:35:15 +08:00			`uid: security/enforcing-ssl`
			`---`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00			`# Enforcing SSL in an ASP.NET Core app`
Add docfx content 2016-10-29 01:35:15 +08:00
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00			`This document shows how to:`

			`- Require SSL for all requests (HTTPS requests only).`
			`- Redirect all HTTP requests to HTTPS.`
			`- Set up IIS Express to use SSL/HTTPS.`

			`## Require SSL`

			`The [RequireHttpsAttribute](https://docs.microsoft.com/aspnet/core/api/microsoft.aspnetcore.mvc.requirehttpsattribute) is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:`

			Add the following code to `ConfigureServices` in `Startup`:

			`[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-)]`

			The highlighted code above requires all requests use `HTTPS`, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

			`[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=6-)]`

			`See [URL Rewriting Middleware](xref:fundamentals/url-rewriting) for more information.`

			Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) is a security best practice. Applying the `[RequireHttps]` to controllers has the drawback that you're not guaranteed new controllers added to you project will get this protection.

			`## Set up IIS Express for SSL/HTTPS`

			`* In Solution Explorer, right click the project and select Properties.`
			`* On the left pane, select Debug.`
			`* Check Enable SSL`
			`* Copy the SSL URL and paste it into the App URL`

			`![Debug tab of web application properties](enforcing-ssl/_static/ssl.png)`