---
title: Enforcing SSL in an ASP.NET Core app
author: rick-anderson
description: Shows how to require SSL in a ASP.NET Core web app
keywords: ASP.NET Core,SSL,HTTPS,RequireHttpsAttribute,IIS Express
ms.author: riande
manager: wpickett
ms.date: 07/19/2017
ms.topic: article
ms.technology: aspnet
ms.prod: asp.net-core
uid: security/enforcing-ssl
---
# Enforcing SSL in an ASP.NET Core app

By [Rick Anderson](https://twitter.com/RickAndMSFT)

This document shows how to:

- Require SSL for all requests (HTTPS requests only).
- Redirect all HTTP requests to HTTPS.

## Require SSL

The [RequireHttpsAttribute](https://docs.microsoft.com/aspnet/core/api/microsoft.aspnetcore.mvc.requirehttpsattribute) is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:

Add the following code to `ConfigureServices` in `Startup`:

[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet2&highlight=4-)]

The highlighted code above requires all requests use `HTTPS`, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

[!code-csharp[Main](authentication/accconfirm/sample/WebApp1/Startup.cs?name=snippet_AddRedirectToHttps&highlight=7-)]

See [URL Rewriting Middleware](xref:fundamentals/url-rewriting) for more information.

Requiring HTTPS globally (`options.Filters.Add(new RequireHttpsAttribute());`) is a security best practice. Applying the 
`[RequireHttps]` attribute to all controller is not considered as secure as requiring HTTPS globally. You can't guarantee new controllers added to your app will remember to apply the `[RequireHttps]` attribute.