AspNetCore.Docs/aspnetcore/security/enforcing-ssl.md

title	author	description	keywords	ms.author	manager	ms.date	ms.topic	ms.assetid	ms.technology	ms.prod	uid
Enforcing SSL in an ASP.NET Core app | Microsoft Docs	rick-anderson	Shows how to require SSL in a web app and how to set IIS Express to use SSL	ASP.NET Core, SSL, HTTPS, RequireHttpsAttribute, IIS Express	riande	wpickett	03/19/2017	article	4694e563-e91a-4ecd-b7ed-00b3f1eee2b5	aspnet	asp.net-core	security/enforcing-ssl

Enforcing SSL in an ASP.NET Core app

This document shows how to:

• Require SSL for all requests (HTTPS requests only).
• Redirect all HTTP requests to HTTPS.
• Set up IIS Express to use SSL/HTTPS.

Require SSL

The RequireHttpsAttribute is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:

Add the following code to ConfigureServices in Startup:

[!code-csharpMain]

The highlighted code above requires all requests use HTTPS, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

[!code-csharpMain]

See URL Rewriting Middleware for more information.

Requiring HTTPS globally (options.Filters.Add(new RequireHttpsAttribute());) is a security best practice. Applying the [RequireHttps] to controllers has the drawback that you're not guaranteed new controllers added to you project will get this protection.

Set up IIS Express for SSL/HTTPS

• In Solution Explorer, right click the project and select Properties.
• On the left pane, select Debug.
• Check Enable SSL
• Copy the SSL URL and paste it into the App URL