diff --git a/aspnetcore/security/authentication/accconfirm.md b/aspnetcore/security/authentication/accconfirm.md index 21c6814d8b..0921cd42f3 100644 --- a/aspnetcore/security/authentication/accconfirm.md +++ b/aspnetcore/security/authentication/accconfirm.md @@ -42,26 +42,10 @@ Note the `EmailConfirmed` field is `False`. You might want to use this email again in the next step when the app sends a confirmation email. Right-click on the row and select **Delete**. Deleting the email alias now will make it easier in the following steps. -## Require SSL -In this section we'll set up and require SSL in our project. +## Require SSL and setup IIS Express for SSL - * In Solution Explorer, right click the project and select **Properties**. - * On the left pane, select **Debug**. - * Check **Enable SSL** - * Copy the SSL URL and paste it into the **App URL** - -![Debug tab of web application properties](accconfirm/_static/ssl.png) - -* Add the following code to `ConfigureServices` in `Startup`: - -[!code-csharp[Main](accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-)] - -The highlighted code above requires all requests to the app use `HTTPS`. HTTP requests will be ignored. The following highlighted code redirects all HTTP requests to HTTPS: - -[!code-csharp[Main](accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=6-)] - -See [URL Rewriting Middleware](xref:fundamentals/url-rewriting) for more information. +See [Enforcing SSL](xref:security/enforcing-ssl). ## Require email confirmation diff --git a/aspnetcore/security/authentication/accconfirm/sample/WebApp1/Startup.cs b/aspnetcore/security/authentication/accconfirm/sample/WebApp1/Startup.cs index 5e73dc5008..8fcf05aee4 100644 --- a/aspnetcore/security/authentication/accconfirm/sample/WebApp1/Startup.cs +++ b/aspnetcore/security/authentication/accconfirm/sample/WebApp1/Startup.cs @@ -35,6 +35,8 @@ namespace WebApp1 public IConfigurationRoot Configuration { get; } // This method gets called by the runtime. Use this method to add services to the container. + // The snippets in here are used by aspnetcore/security/enforcing-ssl.md + // Any changes to this file should be checked against that doc. #region snippet1 #region snippet2 // Requires using Microsoft.AspNetCore.Mvc; diff --git a/aspnetcore/security/enforcing-ssl.md b/aspnetcore/security/enforcing-ssl.md index 9d5f95af34..cd0678717c 100644 --- a/aspnetcore/security/enforcing-ssl.md +++ b/aspnetcore/security/enforcing-ssl.md @@ -1,18 +1,46 @@ --- -title: 🔧 Enforcing SSL | Microsoft Docs +title: Enforcing SSL in an ASP.NET Core app | Microsoft Docs author: rick-anderson -description: -keywords: ASP.NET Core, +description: Shows how to require SSL in a web app and how to set IIS Express to use SSL +keywords: ASP.NET Core, SSL, HTTPS, RequireHttpsAttribute, IIS Express ms.author: riande manager: wpickett -ms.date: 10/14/2016 +ms.date: 03/19/2017 ms.topic: article ms.assetid: 4694e563-e91a-4ecd-b7ed-00b3f1eee2b5 ms.technology: aspnet ms.prod: asp.net-core uid: security/enforcing-ssl --- -# 🔧 Enforcing SSL +# Enforcing SSL in an ASP.NET Core app -> [!NOTE] -> We are currently working on this topic.We welcome your input to help shape the scope and approach. You can track the status and provide input on this [issue](https://github.com/aspnet/Docs/issues/135) at GitHub.If you would like to review early drafts and outlines of this topic, please leave a note with your contact information in the [issue](https://github.com/aspnet/Docs/issues/135).Learn more about how you can [contribute](https://github.com/aspnet/Docs/blob/master/CONTRIBUTING.md) on GitHub. +This document shows how to: + +- Require SSL for all requests (HTTPS requests only). +- Redirect all HTTP requests to HTTPS. +- Set up IIS Express to use SSL/HTTPS. + +## Require SSL + +The [RequireHttpsAttribute](https://docs.microsoft.com/aspnet/core/api/microsoft.aspnetcore.mvc.requirehttpsattribute) is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below: + +Add the following code to `ConfigureServices` in `Startup`: + +[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-)] + +The highlighted code above requires all requests use `HTTPS`, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS: + +[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=6-)] + +See [URL Rewriting Middleware](xref:fundamentals/url-rewriting) for more information. + +Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) is a security best practice. Applying the `[RequireHttps]` to controllers has the drawback that you're not guaranteed new controllers added to you project will get this protection. + +## Set up IIS Express for SSL/HTTPS + + * In Solution Explorer, right click the project and select **Properties**. + * On the left pane, select **Debug**. + * Check **Enable SSL** + * Copy the SSL URL and paste it into the **App URL** + +![Debug tab of web application properties](enforcing-ssl/_static/ssl.png) \ No newline at end of file diff --git a/aspnetcore/security/authentication/accconfirm/_static/ssl.png b/aspnetcore/security/enforcing-ssl/_static/ssl.png similarity index 100% rename from aspnetcore/security/authentication/accconfirm/_static/ssl.png rename to aspnetcore/security/enforcing-ssl/_static/ssl.png diff --git a/aspnetcore/security/toc.md b/aspnetcore/security/toc.md index 40ea9bdc75..9978812e5c 100644 --- a/aspnetcore/security/toc.md +++ b/aspnetcore/security/toc.md @@ -1,9 +1,9 @@ # [Authentication](authentication/toc.md) # [Authorization](authorization/toc.md) # [Data Protection](data-protection/toc.md) +# [Enforcing SSL](enforcing-ssl.md) # [Safe storage of app secrets during development](app-secrets.md) # [Azure Key Vault configuration provider](key-vault-configuration.md) -# [🔧 Enforcing SSL](enforcing-ssl.md) # [🔧 Anti-Request Forgery](anti-request-forgery.md) # [🔧 Preventing Open Redirect Attacks](open-redirect.md) # [Preventing Cross-Site Scripting](cross-site-scripting.md)