AspNetCore.Docs/aspnetcore/security/enforcing-ssl.md

1.8 KiB

title author description keywords ms.author manager ms.date ms.topic ms.technology ms.prod uid
Enforcing SSL in an ASP.NET Core app rick-anderson Shows how to require SSL in a ASP.NET Core web app ASP.NET Core, SSL, HTTPS, RequireHttpsAttribute, IIS Express riande wpickett 07/19/2017 article aspnet asp.net-core security/enforcing-ssl

Enforcing SSL in an ASP.NET Core app

By Rick Anderson

This document shows how to:

  • Require SSL for all requests (HTTPS requests only).
  • Redirect all HTTP requests to HTTPS.

Require SSL

The RequireHttpsAttribute is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:

Add the following code to ConfigureServices in Startup:

[!code-csharpMain]

The highlighted code above requires all requests use HTTPS, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

[!code-csharpMain]

See URL Rewriting Middleware for more information.

Requiring HTTPS globally (options.Filters.Add(new RequireHttpsAttribute());) is a security best practice. Applying the [RequireHttps] attribute to all controller is not considered as secure as requiring HTTPS globally. You can't guarantee new controllers added to your app will remember to apply the [RequireHttps] attribute.

Set up IIS Express for SSL/HTTPS

See Setting up HTTPS for development in ASP.NET Core.