2.0 KiB
2.0 KiB
title | author | description | keywords | ms.author | manager | ms.date | ms.topic | ms.assetid | ms.technology | ms.prod | uid |
---|---|---|---|---|---|---|---|---|---|---|---|
Enforcing SSL in an ASP.NET Core app | rick-anderson | Shows how to require SSL in a web app and how to set IIS Express to use SSL | ASP.NET Core, SSL, HTTPS, RequireHttpsAttribute, IIS Express | riande | wpickett | 03/19/2017 | article | 4694e563-e91a-4ecd-b7ed-00b3f1eee2b5 | aspnet | asp.net-core | security/enforcing-ssl |
Enforcing SSL in an ASP.NET Core app
This document shows how to:
- Require SSL for all requests (HTTPS requests only).
- Redirect all HTTP requests to HTTPS.
- Set up IIS Express to use SSL/HTTPS.
Require SSL
The RequireHttpsAttribute is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:
Add the following code to ConfigureServices
in Startup
:
[!code-csharpMain]
The highlighted code above requires all requests use HTTPS
, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:
[!code-csharpMain]
See URL Rewriting Middleware for more information.
Requiring HTTPS globally (options.Filters.Add(new RequireHttpsAttribute());
) is a security best practice. Applying the [RequireHttps]
to controllers has the drawback that you're not guaranteed new controllers added to you project will get this protection.
Set up IIS Express for SSL/HTTPS
- In Solution Explorer, right click the project and select Properties.
- On the left pane, select Debug.
- Check Enable SSL
- Copy the SSL URL and paste it into the App URL