Home/ Questions/Q 48173
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-10T16:14:18+00:00

About 6 months ago I rolled out a site where every request needed to

  • 0

About 6 months ago I rolled out a site where every request needed to be over https. The only way at the time I could find to ensure that every request to a page was over https was to check it in the page load event. If the request was not over http I would response.redirect(‘https://example.com‘)

Is there a better way — ideally some setting in the web.config?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Please use HSTS (HTTP Strict Transport Security)

    from http://www.hanselman.com/blog/HowToEnableHTTPStrictTransportSecurityHSTSInIIS7.aspx

    <?xml version='1.0' encoding='UTF-8'?> <configuration>     <system.webServer>         <rewrite>             <rules>                 <rule name='HTTP to HTTPS redirect' stopProcessing='true'>                     <match url='(.*)' />                     <conditions>                         <add input='{HTTPS}' pattern='off' ignoreCase='true' />                     </conditions>                     <action type='Redirect' url='https://{HTTP_HOST}/{R:1}'                         redirectType='Permanent' />                 </rule>             </rules>             <outboundRules>                 <rule name='Add Strict-Transport-Security when HTTPS' enabled='true'>                     <match serverVariable='RESPONSE_Strict_Transport_Security'                         pattern='.*' />                     <conditions>                         <add input='{HTTPS}' pattern='on' ignoreCase='true' />                     </conditions>                     <action type='Rewrite' value='max-age=31536000' />                 </rule>             </outboundRules>         </rewrite>     </system.webServer> </configuration>

    Original Answer (replaced with the above on 4 December 2015)

    basically

    protected void Application_BeginRequest(Object sender, EventArgs e) {    if (HttpContext.Current.Request.IsSecureConnection.Equals(false) && HttpContext.Current.Request.IsLocal.Equals(false))    {     Response.Redirect('https://' + Request.ServerVariables['HTTP_HOST'] +   HttpContext.Current.Request.RawUrl);    } }

    that would go in the global.asax.cs (or global.asax.vb)

    i dont know of a way to specify it in the web.config

    • 0