Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MVC RequireHttps entire site

I have read the previous posts about using the RequireHttpsAttribute to secure individual controllers:

ASP.NET MVC RequireHttps in Production Only

but is there a way to apply this to the entire site? Due to my host (discountasp.net) I cannot use the "RequireSSL IIS" setting.

like image 743
CodeGrue Avatar asked Jul 19 '10 20:07

CodeGrue


2 Answers

Register the RequireHttpsAttribute as a global filter.

In global.asax:

protected void Application_Start() {     GlobalFilters.Filters.Add(new RequireHttpsAttribute());      //... other stuff } 
like image 166
hwiechers Avatar answered Sep 29 '22 21:09

hwiechers


I ended up using IIS URL Rewrite 2.0 to force the site to switch to HTTPS. This code in web.config does the trick:

  <system.webServer>
    <!-- This uses URL Rewrite 2.0 to force the entire site into SSL mode -->
    <rewrite xdt:Transform="Insert">
      <rules>
        <rule name="Force HTTPS" enabled="true">
          <match url="(.*)" ignoreCase="false" />
          <conditions>
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
like image 43
CodeGrue Avatar answered Sep 29 '22 20:09

CodeGrue