Menu
You need URL Rewrite module, preferably v2 (I have no v1 installed, so cannot guarantee that it will work there, but it should).
Here is an example of such web.config -- it will force HTTPS for ALL resources (using 301 Permanent Redirect):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Redirect to https" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
P.S. This particular solution has nothing to do with ASP.NET/PHP or any other technology as it's done using URL rewriting module only -- it is processed at one of the initial/lower levels -- before request gets to the point where your code gets executed.
For those using ASP.NET MVC. You can use the RequireHttpsAttribute to force all responses to be HTTPS:
GlobalFilters.Filters.Add(new RequireHttpsAttribute());
Other things you may also want to do to help secure your site:
Force Anti-Forgery tokens to use SSL/TLS:
AntiForgeryConfig.RequireSsl = true;
Require Cookies to require HTTPS by default by changing the Web.config file:
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
Use the NWebSec.Owin NuGet package and add the following line of code to enable Strict Transport Security (HSTS) across the site. Don't forget to add the Preload directive below and submit your site to the HSTS Preload site. More information here and here. Note that if you are not using OWIN, there is a Web.config method you can read up on on the NWebSec site.
// app is your OWIN IAppBuilder app in Startup.cs
app.UseHsts(options => options.MaxAge(days: 720).Preload());
Use the NWebSec.Owin NuGet package and add the following line of code to enable Public Key Pinning (HPKP) across the site. More information here and here.
// app is your OWIN IAppBuilder app in Startup.cs
app.UseHpkp(options => options
.Sha256Pins(
"Base64 encoded SHA-256 hash of your first certificate e.g. cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=",
"Base64 encoded SHA-256 hash of your second backup certificate e.g. M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=")
.MaxAge(days: 30));
Include the https scheme in any URL's used. Content Security Policy (CSP) HTTP header and Subresource Integrity (SRI) do not play nice when you imit the scheme in some browsers. It is better to be explicit about HTTPS. e.g.
<script src="https://ajax.aspnetcdn.com/ajax/bootstrap/3.3.4/bootstrap.min.js">
</script>
Use the ASP.NET MVC Boilerplate Visual Studio project template to generate a project with all of this and much more built in. You can also view the code on GitHub.
To augment LazyOne's answer, here is an annotated version of the answer.
<rewrite>
<rules>
<clear />
<rule name="Redirect all requests to https" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll">
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action
type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}"
redirectType="Permanent" appendQueryString="false" />
</rule>
</rules>
</rewrite>
Clear all the other rules that might already been defined on this server. Create a new rule, that we will name "Redirect all requests to https". After processing this rule, do not process any more rules! Match all incoming URLs. Then check whether all of these other conditions are true: HTTPS is turned OFF. Well, that's only one condition (but make sure it's true). If it is, send a 301 Permanent redirect back to the client at http://www.foobar.com/whatever?else=the#url-contains. Don't add the query string at the end of that, because it would duplicate the query string!
This is what the properties, attributes, and some of the values mean.
MatchAll) or any of the conditions must be true (MatchAny); similar to AND vs OR. match and its conditions are all true.
redirect (client-side) or rewrite (server-side). https:// with two server variables.url or not; in this case, we are setting it to false, because the {REQUEST_URI} already includes it.The server variables are
{HTTPS} which is either OFF or ON. {HTTP_HOST} is www.mysite.com, and {REQUEST_URI} includes the rest of the URI, e.g. /home?key=value
#fragment (see comment from LazyOne).See also: https://www.iis.net/learn/extensions/url-rewrite-module/url-rewrite-module-configuration-reference
The accepted answer did not work for me. I followed the steps on this blog.
A key point that was missing for me was that I needed to download and install the URL Rewrite Tool for IIS. I found it here. The result was the following.
<rewrite>
<rules>
<remove name="Http to Https" />
<rule name="Http to Https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{HTTPS}" pattern="off" />
</conditions>
<serverVariables />
<action type="Redirect" url="https://{HTTPS_HOST}{REQUEST_URI}" />
</rule>
</rules>
</rewrite>
In .Net Core, follow the instructions at https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl
In your startup.cs add the following:
// Requires using Microsoft.AspNetCore.Mvc;
public void ConfigureServices(IServiceCollection services)
{
services.Configure<MvcOptions>(options =>
{
options.Filters.Add(new RequireHttpsAttribute());
});`enter code here`
To redirect Http to Https, add the following in the startup.cs
// Requires using Microsoft.AspNetCore.Rewrite;
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
var options = new RewriteOptions()
.AddRedirectToHttps();
app.UseRewriter(options);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With