From 71273173e398b35cf9d12fc701e8cf35127471e9 Mon Sep 17 00:00:00 2001
From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
Date: Tue, 18 May 2021 12:14:51 +1000
Subject: [PATCH] Show how to disable HTTP (#22298)

---
 aspnetcore/security/enforcing-ssl.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/aspnetcore/security/enforcing-ssl.md b/aspnetcore/security/enforcing-ssl.md
index 9edaf4c2b9..75f8bef401 100644
--- a/aspnetcore/security/enforcing-ssl.md
+++ b/aspnetcore/security/enforcing-ssl.md
@@ -29,6 +29,8 @@ No API can prevent a client from sending sensitive data on the first request.
 > * Not listen on HTTP.
 > * Close the connection with status code 400 (Bad Request) and not serve the request.
 >
+> To disable HTTP redirection in an API, set the `ASPNETCORE_URLS` environment variable or use the `--urls` command line flag. For more information, see <xref:fundamentals/environments> and [5 ways to set the URLs for an ASP.NET Core app](https://andrewlock.net/5-ways-to-set-the-urls-for-an-aspnetcore-app/) by Andrew Lock.
+>
 > ## HSTS and API projects
 >
 > The default API projects don't include [HSTS](#hsts) because HSTS is generally a browser only instruction. Other callers, such as phone or desktop apps, do **not** obey the instruction. Even within browsers, a single authenticated call to an API over HTTP has risks on insecure networks. The secure approach is to configure API projects to only listen to and respond over HTTPS.