daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move require SSL to it's own doc (#3000) 

* move require SSL to it's own doc

* td feedback
pull/3004/head
Rick Anderson 2017-03-17 15:27:18 -10:00 committed by GitHub
parent 54ea022321
commit 6d3767417a
5 changed files with 40 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
aspnetcore/security/authentication/accconfirm.md
View File

@ -42,26 +42,10 @@ Note the `EmailConfirmed` field is `False`.
You might want to use this email again in the next step when the app sends a confirmation email. Right-click on the row and select **Delete**. Deleting the email alias now will make it easier in the following steps.
## Require SSL
In this section we'll set up and require SSL in our project.
## Require SSL and setup IIS Express for SSL
* In Solution Explorer, right click the project and select **Properties**.
* On the left pane, select **Debug**.
* Check **Enable SSL**
* Copy the SSL URL and paste it into the **App URL**
![Debug tab of web application properties](accconfirm/_static/ssl.png)
* Add the following code to `ConfigureServices` in `Startup`:
[!code-csharp[Main](accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-)]
The highlighted code above requires all requests to the app use `HTTPS`. HTTP requests will be ignored. The following highlighted code redirects all HTTP requests to HTTPS:
[!code-csharp[Main](accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=6-)]
See [URL Rewriting Middleware](xref:fundamentals/url-rewriting) for more information.
See [Enforcing SSL](xref:security/enforcing-ssl).
## Require email confirmation

2
aspnetcore/security/authentication/accconfirm/sample/WebApp1/Startup.cs
View File

@ -35,6 +35,8 @@ namespace WebApp1
public IConfigurationRoot Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
// The snippets in here are used by aspnetcore/security/enforcing-ssl.md
// Any changes to this file should be checked against that doc.
#region snippet1
#region snippet2
// Requires using Microsoft.AspNetCore.Mvc;

42
aspnetcore/security/enforcing-ssl.md
View File

@ -1,18 +1,46 @@
---
title: 🔧 Enforcing SSL | Microsoft Docs
title: Enforcing SSL in an ASP.NET Core app | Microsoft Docs
author: rick-anderson
description:
keywords: ASP.NET Core,
description: Shows how to require SSL in a web app and how to set IIS Express to use SSL
keywords: ASP.NET Core, SSL, HTTPS, RequireHttpsAttribute, IIS Express
ms.author: riande
manager: wpickett
ms.date: 10/14/2016
ms.date: 03/19/2017
ms.topic: article
ms.assetid: 4694e563-e91a-4ecd-b7ed-00b3f1eee2b5
ms.technology: aspnet
ms.prod: asp.net-core
uid: security/enforcing-ssl
---
# 🔧 Enforcing SSL
# Enforcing SSL in an ASP.NET Core app
> [!NOTE]
> We are currently working on this topic.We welcome your input to help shape the scope and approach. You can track the status and provide input on this [issue](https://github.com/aspnet/Docs/issues/135) at GitHub.If you would like to review early drafts and outlines of this topic, please leave a note with your contact information in the [issue](https://github.com/aspnet/Docs/issues/135).Learn more about how you can [contribute](https://github.com/aspnet/Docs/blob/master/CONTRIBUTING.md) on GitHub.
This document shows how to:
- Require SSL for all requests (HTTPS requests only).
- Redirect all HTTP requests to HTTPS.
- Set up IIS Express to use SSL/HTTPS.
## Require SSL
The [RequireHttpsAttribute](https://docs.microsoft.com/aspnet/core/api/microsoft.aspnetcore.mvc.requirehttpsattribute) is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:
Add the following code to `ConfigureServices` in `Startup`:
[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-)]
The highlighted code above requires all requests use `HTTPS`, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:
[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=6-)]
See [URL Rewriting Middleware](xref:fundamentals/url-rewriting) for more information.
Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) is a security best practice. Applying the `[RequireHttps]` to controllers has the drawback that you're not guaranteed new controllers added to you project will get this protection.
## Set up IIS Express for SSL/HTTPS
* In Solution Explorer, right click the project and select **Properties**.
* On the left pane, select **Debug**.
* Check **Enable SSL**
* Copy the SSL URL and paste it into the **App URL**
![Debug tab of web application properties](enforcing-ssl/_static/ssl.png)

0
aspnetcore/security/authentication/accconfirm/_static/ssl.png → aspnetcore/security/enforcing-ssl/_static/ssl.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 58 KiB

After

Width:  |  Height:  |  Size: 58 KiB

2
aspnetcore/security/toc.md
View File

@ -1,9 +1,9 @@
# [Authentication](authentication/toc.md)
# [Authorization](authorization/toc.md)
# [Data Protection](data-protection/toc.md)
# [Enforcing SSL](enforcing-ssl.md)
# [Safe storage of app secrets during development](app-secrets.md)
# [Azure Key Vault configuration provider](key-vault-configuration.md)
# [🔧 Enforcing SSL](enforcing-ssl.md)
# [🔧 Anti-Request Forgery](anti-request-forgery.md)
# [🔧 Preventing Open Redirect Attacks](open-redirect.md)
# [Preventing Cross-Site Scripting](cross-site-scripting.md)