How do I ensure that my users can not physically type in http: to bypass my SSL and ensure that every page is https:?
Possibly a redirect on my master page?
Visitors to your website will be warned about the certificate's lack of validity in their browser. To secure your website with a self-signed certificate, you need to generate one first. To do so, go to Websites & Domains > your website > SSL/TLS Certificates > “Advanced Settings” > and click Add SSL/TLS Certificate.
To check an SSL certificate on any website, all you need to do is follow two simple steps. First, check if the URL of the website begins with HTTPS, where S indicates it has an SSL certificate. Second, click on the padlock icon on the address bar to check all the detailed information related to the certificate.
More Secure – HTTPS or SSL: HTTPS and SSL are similar things but not the same. HTTPS basically a standard Internet protocol that makes the online data to be encrypted and is a more advanced and secure version of the HTTP protocol. SSL is a part of the HTTPS protocol that performs the encryption of the data.
In short: SSL keeps internet connections secure and prevents criminals from reading or modifying information transferred between two systems. When you see a padlock icon next to the URL in the address bar, that means SSL protects the website you are visiting.
This would generally be handled via IIS configuration or with an ISAPI filter, but if you want to do it in the application code, you could put something like this in the Page_Init event of your master page...
If Not Request.IsSecure
Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://"))
End If
I would just redirect all http urls to https with a separate page, or use the "require secure channel" option on your IIS configuration, which will display an error if someone tries to access a non-https page.
Here's a site with a guide to redirecting the error page to the https URL of your site.
The following builds upon Josh Stodolas answer (IsSecureConnection) but uses the UriBuilder to change the scheme to https rather than a string replace. The benefit of this approach is that it won't change all the occurrences of "http" in the URL to "https".
if (!Request.IsSecureConnection)
{
UriBuilder newUri = new UriBuilder(Request.Url);
newUri.Scheme = Uri.UriSchemeHttps;
Response.Redirect(newUri.Uri.AbsoluteUri);
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With