Enforcing SSL

[danroth27]

ASP.NET MVC -> Security -> Enforcing SSL

[jak-hammond]

This is how I'm currently implementing an enforcement of SSL, registering it as a piece of middleware. Granted I could probably improve things by stripping out the searching for localhost and instead use the new environment variables, but sometimes in production I will need to check on the local server and this prevents the SSL cert warnings, minor point so might be safer to move to environment variables.

public async Task Invoke(HttpContext context)
{
    var req = context.Request;
    var portDelim = req.Host.ToUriComponent().IndexOf(":", StringComparison.OrdinalIgnoreCase);
    var host = portDelim != -1 ? req.Host.ToUriComponent().Substring(0, portDelim) : req.Host.ToUriComponent();
    if (req.IsHttps || host.Equals("localhost", StringComparison.OrdinalIgnoreCase))
        await _next.Invoke(context);
    else
    {
        //If it's good enough for MS :)
        //https://github.com/aspnet/Mvc/blob/046cb976b3e899052a95387b72ea4bee6987bff0/src/Microsoft.AspNet.Mvc.Core/RequireHttpsAttribute.cs
        var newUrl = string.Concat(
            "https://",
            req.Host.ToUriComponent(),
            req.PathBase.ToUriComponent(),
            req.Path.ToUriComponent(),
            req.QueryString.ToUriComponent());
        context.Response.Redirect(newUrl, true);
    }
}

[Rick-Anderson]

@Jak893 if you just want to enforce SSL for your MVC app, you can do that in Startup.ConfigureServices

        services.Configure<MvcOptions>(options =>
        {
            options.Filters.Add(new HttpsRequiredAttribute());
        });

[westonpace]

@Rick-Anderson That solution works great. For users of 1.0.0 onwards it is now...

        services.Configure<MvcOptions>(options => {
            options.Filters.Add(new RequireHttpsAttribute());
        });

[clement911]

that won't force https for static files though

[Rick-Anderson]

@danroth27 any suggestions for forcing SSL on static files?

[clement911]

Actually I guess redirection at the mvc level might be sufficient since static files should get requested using the same base url as the page itself...
I'm using
services.AddMvc(options => { options.Filters.Add(new RequireHttpsAttribute()); });
but the problem is that it redirects the https:// (so the default port 443) even though my dev environment has an ssl port of 44372

[Rick-Anderson]

localhost/IIS Express SSL will use 443xx and that all works fine with the code above. I've been using this approach for years.

[danroth27]

We think we will handle this as part of #977

[webzest]

There is a very easy solution to set up Visual Studio 2017 RC2 to run on HTTPS.

1. In the Solution Explorer, Right-Click on your Project's name and select Properties.
   1a. Click on the Debug area and Click on the Enable SSL Check Box.
   1b. Make a note of the SSL Port, in my case, it was listed as 44390.

2. Open your Startup.cs file, navigate the ConfigureServices and add the following:

   //make sure the block of code is added below your services.AddMVC();
            services.Configure<MvcOptions>(options =>
            {
                options.SslPort = 44390;
                options.Filters.Add(new RequireHttpsAttribute());
            });

3. Open your HomeController cs file and add [RequireHttps] right above the class declaration section
   namespace MyWorldTravel.Controllers

    {
        [RequireHttps]
        public class HomeController : Controller
        {

4. Launch your Application. IT should always launch under HTPPS. This works in development and you might have to install the certificate at the outset. Remember to update the URL when you move to production.

[danroth27]

We have content on this already here: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/accconfirm#require-ssl

[danroth27]

Actually, it would be better to pull this content out as another article and just link to it.