DEV Community

Robertino
Robertino

Posted on • Originally published at auth0.com

Force HTTPS in ASP.NET Core Applications

How to force your ASP.NET Core application to use only HTTPS? Learn the best practices for different scenarios.


HTTPS is mandatory to grant security to your web application, regardless of the programming framework you are using. But what happens if a client calls your web app with HTTP instead of HTTPS? How can you force it to use HTTPS? Let's delve into the options provided by ASP.NET Core.

Use HTTPS Redirection

I guess that the first idea that comes to your mind is to redirect HTTP requests: if a client calls your application using HTTP, your application redirects it to the same URL starting with HTTPS. URL redirection is a well-known approach. The web application creates an HTTP response with a status code starting with 3 and a Location header like in the following example:

HTTP/1.1 301 Moved Permanently
Location: https://www.auth0.com/
Enter fullscreen mode Exit fullscreen mode

While this approach doesn't resolve all the security risks, as you will learn along the way, it's a good starting point.

Fortunately, in ASP.NET Core, you don't need to go to the HTTP level to redirect your client's requests. You have a few options to choose from. Let's analyze each of them.

The RequireHttps attribute

The first approach we'll explore is based on the RequireHttps attribute. You can use it in your Razor Pages applications to force a page to require HTTPS, as shown in the following code snippet:

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;

namespace RazorApp.Pages;

[RequireHttps]
public class PrivacyModel : PageModel
{
  //...existing code...
}
Enter fullscreen mode Exit fullscreen mode

If this page is called through HTTP, an HTTPS redirection response will be automatically created for you. For Razor Pages, you can apply the RequireHttps attribute only to classes inheriting from PageModel. You cannot apply the attribute to the class methods as well.

In ASP.NET Core MVC applications, you can apply the RequireHttps attribute to classes inherited from Controller, as in the following example:

using System.Diagnostics;
using Microsoft.AspNetCore.Mvc;
using MvcApp.Models;

namespace MvcApp.Controllers;

[RequireHttps]
public class HomeController : Controller
{
  // ...existing code...
}
Enter fullscreen mode Exit fullscreen mode

When the attribute is attached to the controller, the HTTP redirection is applied to any view returned by it. However, in the ASP.NET Core MVC case, you can apply the RequireHttps attribute to specific views. For example, the following code shows how to require HTTPS redirection only for the Privacy view:

using System.Diagnostics;
using Microsoft.AspNetCore.Mvc;
using MvcApp.Models;

namespace MvcApp.Controllers;

public class HomeController : Controller
{
    public IActionResult Index()
    {
        return View();
    }

    [RequireHttps]
    public IActionResult Privacy()
    {
        return View();
    }
}
Enter fullscreen mode Exit fullscreen mode

The redirection approach based on the RequireHttps attribute is pretty simple. You may also think that the opportunity to apply it selectively to specific pages or views is great because you can limit HTTPS to just pages with confidential content.

Actually, mixing HTTP and HTTPS pages is a really bad idea! Your web application is not secure because it is exposed to HTTPS downgrade attacks. To mitigate this risk, make all your web application's pages accessible only with the HTTPS protocol.

You may think of applying the RequireHttps attribute to all the pages to reduce the risk, but there are better approaches, as you will see in the next section.

Read more...

Top comments (0)