Is there a way to ensure that an ASP.NET application is (only) running on the HTTPS protocol?

views:

152

answers:

+5 Q:

Is there a way to ensure that an ASP.NET application is (only) running on the HTTPS protocol?

I'm wondering if there is a way to ensure that an ASP.NET application can only be run using the HTTPS protocol

I'm fine with any code (defensive programming measure perhaps?) that can do the trick, or possibly some IIS/web server setting that can get the job done.

+5 A:

IIS will definitely allow you to require HTTPS. The instructions are here.

Edit: I had to go dig for it, but there's also Request.IsSecureConnection for defensive programming.

Randolpho 2009-05-27 17:45:41

Thanks! That's exactly what I was looking for!

Joseph 2009-05-27 17:46:23

FTA: 8. Click Require secure-channel (SSL) if you want the Web site, folder, or file to require SSL communications.

Joseph 2009-05-27 17:46:55

+1 A:

There is a nice article that has some good information and a helper utility class on this subject over at leastprivilege.com

slolife 2009-05-27 17:57:24

+2 A:

The only problem with enforcing the SSL on the IIS level is that the user receives an ugly 403.4 page error

"The page must be viewed over a secure channel"

To make the transition seamless, you could redirect the user to the secure site using the Request.IsSecureConnection if they do not generate the request over SSL.

Michael Kniskern 2009-05-27 18:02:23

There are basic network setups you can do to redirect to HTTPS before IIS ever sees the request.

Randolpho 2009-05-27 18:43:58

ansaurus

tags:

views:

answers:

Is there a way to ensure that an ASP.NET application is (only) running on the HTTPS protocol?

related questions