AspNetCore.Docs/aspnetcore/security/enforcing-ssl.md

2.0 KiB

title author description keywords ms.author manager ms.date ms.topic ms.assetid ms.technology ms.prod uid
Enforcing SSL in an ASP.NET Core app rick-anderson Shows how to require SSL in a web app and how to set IIS Express to use SSL ASP.NET Core, SSL, HTTPS, RequireHttpsAttribute, IIS Express riande wpickett 03/19/2017 article 4694e563-e91a-4ecd-b7ed-00b3f1eee2b5 aspnet asp.net-core security/enforcing-ssl

Enforcing SSL in an ASP.NET Core app

This document shows how to:

  • Require SSL for all requests (HTTPS requests only).
  • Redirect all HTTP requests to HTTPS.
  • Set up IIS Express to use SSL/HTTPS.

Require SSL

The RequireHttpsAttribute is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:

Add the following code to ConfigureServices in Startup:

[!code-csharpMain]

The highlighted code above requires all requests use HTTPS, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

[!code-csharpMain]

See URL Rewriting Middleware for more information.

Requiring HTTPS globally (options.Filters.Add(new RequireHttpsAttribute());) is a security best practice. Applying the [RequireHttps] to controllers has the drawback that you're not guaranteed new controllers added to you project will get this protection.

Set up IIS Express for SSL/HTTPS

  • In Solution Explorer, right click the project and select Properties.
  • On the left pane, select Debug.
  • Check Enable SSL
  • Copy the SSL URL and paste it into the App URL

Debug tab of web application properties