Best way in asp.net to force https for an entire site?

by

Please use HSTS (HTTP Strict Transport Security)

from http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
                        redirectType="Permanent" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    </conditions>
                    <action type="Rewrite" value="max-age=31536000" />
                </rule>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Original Answer (replaced with the above on 4 December 2015)

basically

protected void Application_BeginRequest(Object sender, EventArgs e)
{
   if (HttpContext.Current.Request.IsSecureConnection.Equals(false) && HttpContext.Current.Request.IsLocal.Equals(false))
   {
    Response.Redirect("https://" + Request.ServerVariables["HTTP_HOST"]
+   HttpContext.Current.Request.RawUrl);
   }
}

that would go in the global.asax.cs (or global.asax.vb)

i dont know of a way to specify it in the web.config

More Related Contents:

  1. Determine if a number can be made with prepicked numbers and times
  2. Can I specify a custom location to “search for views” in ASP.NET MVC?
  3. A potentially dangerous Request.Path value was detected from the client (*)
  4. How to force HTTPS using a web.config file
  5. “Could not load type [Namespace].Global” causing me grief
  6. Event Bubbling and MVP: ASP.NET
  7. Should I store my images in the database or folders? [duplicate]
  8. Accessing Office Word object model through asp.net results in “failed due to the following error: 80070005 Access is denied.”
  9. How do I get the currently loggedin Windows account from an ASP.NET page?
  10. Loop through all controls on asp.net webpage
  11. ASP.NET GridView: How to edit and delete data records
  12. .NET Configuration (app.config/web.config/settings.settings)
  13. Check if Cookie Exists
  14. unable to evaluate expression whilst debugging
  15. Is current request being made over SSL with Azure deployment
  16. Get All Web Controls of a Specific Type on a Page
  17. Validating Recaptcha 2 (No CAPTCHA reCAPTCHA) in ASP.NET’s server side
  18. DropDownList AppendDataBoundItems (first item to be blank and no duplicates)
  19. Populate TreeView from DataBase
  20. Find a control in a webform
  21. Creating download link to a file on a file server
  22. Change CSS classes from code
  23. Lost Focus method for asp.net textbox?
  24. The provider is not compatible with the version of Oracle client
  25. Render HTML as an Image
  26. Full postback triggered by LinkButton inside GridView inside UpdatePanel
  27. Unable to find the requested .Net Framework Data Provider. It may not be installed
  28. Bind Dictionary with list in viewmodel to checkboxes
  29. Filehandler in asp.net
  30. ASP .NET Button event handlers do not fire on the first click, but on the second click after a PostBack

Leave a Comment