Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
New doc: Require HTTPS on Web APIs #6233
Opening segment comes down to : Don't ever do this for anything that actually matters.
Do not use RequireHttpsAttribute on Web APIs that receive sensitive information
And (of course) does not give you a link on where to go find how to do this for things that actually matter.
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@nbarbettini wrote a nice article on this topic.
I think what is missing from both articles is guidance or a link for how to configure IIS to force HTTPS only. If you don't, and you abort in the middleware or return a 400, it is too late, the "secret" data has already been transmitted in the clear.
UseHsts doesn't seem to be enough on its own either as it requires a browser to have seen the header before sensitive data is sent. This isn't helpful if your "client" is not a browser.
This was referenced
Aug 23, 2018