AspNetCore.Docs/aspnetcore/security/enforcing-ssl.md

---
title: Enforcing SSL in an ASP.NET Core app
author: rick-anderson
description: Shows how to require SSL in a ASP.NET Core web app
ms.author: riande
manager: wpickett
ms.date: 07/19/2017
ms.topic: article
ms.technology: aspnet
ms.prod: asp.net-core
uid: security/enforcing-ssl
---
# Enforcing SSL in an ASP.NET Core app

By [Rick Anderson](https://twitter.com/RickAndMSFT)

This document shows how to:

- Require SSL for all requests (HTTPS requests only).
- Redirect all HTTP requests to HTTPS.

## Require SSL

The [RequireHttpsAttribute](https://docs.microsoft.com/aspnet/core/api/microsoft.aspnetcore.mvc.requirehttpsattribute) is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:

Add the following code to `ConfigureServices` in `Startup`:

[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-)]

The highlighted code above requires all requests use `HTTPS`, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=7-)]

See [URL Rewriting Middleware](xref:fundamentals/url-rewriting) for more information.

Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) is a security best practice. Applying the 
`[RequireHttps]` attribute to all controller isn't considered as secure as requiring HTTPS globally. You can't guarantee new controllers added to your app will remember to apply the `[RequireHttps]` attribute.
Add docfx content 2016-10-29 01:35:15 +08:00			`---`
remove \| MS Docs (#3612) 2017-07-01 07:47:15 +08:00			`title: Enforcing SSL in an ASP.NET Core app`
Add docfx content 2016-10-29 01:35:15 +08:00			`author: rick-anderson`
Update enforcing-ssl.md (#3803) * Update enforcing-ssl.md * Update enforcing-ssl.md * work * work * work 2017-07-25 06:10:31 +08:00			`description: Shows how to require SSL in a ASP.NET Core web app`
Add docfx content 2016-10-29 01:35:15 +08:00			`ms.author: riande`
			`manager: wpickett`
Update enforcing-ssl.md (#3803) * Update enforcing-ssl.md * Update enforcing-ssl.md * work * work * work 2017-07-25 06:10:31 +08:00			`ms.date: 07/19/2017`
Add docfx content 2016-10-29 01:35:15 +08:00			`ms.topic: article`
title + meta on technology 2016-11-17 08:24:57 +08:00			`ms.technology: aspnet`
Bulk metadata fix (#2871) * meta data fix * Revert "meta data fix" This reverts commit ba3688347667594a0967b08196cbb5308500a217. * meta data fix2 * test * Update owin-oauth-20-authorization-server.md * Update api-ref.md * Update api-ref.md * test * test2 2017-03-03 08:50:36 +08:00			`ms.prod: asp.net-core`
Add docfx content 2016-10-29 01:35:15 +08:00			`uid: security/enforcing-ssl`
			`---`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00			`# Enforcing SSL in an ASP.NET Core app`
Add docfx content 2016-10-29 01:35:15 +08:00
Update enforcing-ssl.md 2017-07-19 06:01:43 +08:00			`By [Rick Anderson](https://twitter.com/RickAndMSFT)`

move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00			`This document shows how to:`

			`- Require SSL for all requests (HTTPS requests only).`
			`- Redirect all HTTP requests to HTTPS.`

			`## Require SSL`

			`The [RequireHttpsAttribute](https://docs.microsoft.com/aspnet/core/api/microsoft.aspnetcore.mvc.requirehttpsattribute) is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:`

			Add the following code to `ConfigureServices` in `Startup`:

			`[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-)]`

			The highlighted code above requires all requests use `HTTPS`, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

Modified enforcing-ssl (#3837) * Modified enforcing-ssl - change hard to understand sentence - highlight line 7 (line 6 is an empty line) * Update enforcing-ssl.md 2017-07-28 08:18:38 +08:00			`[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=7-)]`
move require SSL to it's own doc (#3000) * move require SSL to it's own doc * td feedback 2017-03-18 09:27:18 +08:00
			`See [URL Rewriting Middleware](xref:fundamentals/url-rewriting) for more information.`

Modified enforcing-ssl (#3837) * Modified enforcing-ssl - change hard to understand sentence - highlight line 7 (line 6 is an empty line) * Update enforcing-ssl.md 2017-07-28 08:18:38 +08:00			Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) is a security best practice. Applying the
Taming the savage contraction issue (#5216) * Form contractions * Revert two contractions * Additional reversions * Additional reversions * Additional revisions * Additional revisions * React to feedback 2018-01-24 23:27:24 +08:00			`[RequireHttps]` attribute to all controller isn't considered as secure as requiring HTTPS globally. You can't guarantee new controllers added to your app will remember to apply the `[RequireHttps]` attribute.