1.7 KiB
| title | author | description | keywords | ms.author | manager | ms.date | ms.topic | ms.technology | ms.prod | uid |
|---|---|---|---|---|---|---|---|---|---|---|
| Enforcing SSL in an ASP.NET Core app | rick-anderson | Shows how to require SSL in a ASP.NET Core web app | ASP.NET Core,SSL,HTTPS,RequireHttpsAttribute,IIS Express | riande | wpickett | 07/19/2017 | article | aspnet | asp.net-core | security/enforcing-ssl |
Enforcing SSL in an ASP.NET Core app
This document shows how to:
- Require SSL for all requests (HTTPS requests only).
- Redirect all HTTP requests to HTTPS.
Require SSL
The RequireHttpsAttribute is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:
Add the following code to ConfigureServices in Startup:
[!code-csharpMain]
The highlighted code above requires all requests use HTTPS, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:
[!code-csharpMain]
See URL Rewriting Middleware for more information.
Requiring HTTPS globally (options.Filters.Add(new RequireHttpsAttribute());) is a security best practice. Applying the
[RequireHttps] attribute to all controller is not considered as secure as requiring HTTPS globally. You can't guarantee new controllers added to your app will remember to apply the [RequireHttps] attribute.