ASP.NET Core middleware and MVC extension for redirecting requests to HTTPS.
Install-Package AspNetCore.SslRedirect
public class Startup {
public void ConfigureServices(IServiceCollection services) {
services.AddSslRedirect();
...
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) {
app.UseSslRedirect();
...
}
}
Use ISslPolicy
elements or MVC filters to enforce SSL communication:
services.AddSslRedirect(options => options.Policies.RedirectAll());
Upgrades every unsecured request handled by the web application.
services.AddSslRedirect(options =>
options.Policies
.RedirectPath("/SecurePath/*.html")
.RedirectPath("/**/api/Admin/*")
);
Upgrades unsecured requests to paths defined by the glob patterns.
[RequireSsl]
[Route("api/[controller]")]
public class AdministrationController : Controller {
...
}
Upgrades unsecured requests invoking any controller action.
[Route("api/[controller]")]
public class UserController : Controller {
[HttpGet({id:int})]
public IActionResult GetById(int id) { ... }
[RequireSsl]
[HttpPost("/auth")]
public IActionResult Authenticate([FromForm]string user, [FromForm]string password) { ... }
}
Upgrades unsecured requests invoking action Authenticate
.
- Implement
ISslPolicy
public class SslRemotePolicy : ISslPolicy { public Task<bool> Accept(HttpContext context) => Task.FromResult( context.Request.Host.Host != "localhost" && context.Request.Host.Host != "127.0.0.1" ); }
- Add your policy
public class Startup { public void ConfigureServices(IServiceCollection services) { services.AddSslRedirect(options => options.Policies.Add(new SslRemotePolicy()); ... } public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory) { app.UseSslRedirect(); ... } }
-
SslPort - The HTTPS port number
options.SslPort = Environment.IsDevelopment() ? 44300 : 443;
-
Method - The HTTP method used for redirecting requests. See RFC 7231, Section 6.4 and RFC 7238
options.Method = HttpRedirectMethod.TemporaryRedirect;
-
HstsHeader - The HSTS header information
options.HstsHeader.MaxAge = TimeSpan.FromMonths(1); options.HstsHeader.IncludeSubDomains = true;
The middleware will automatically add a HSTS header unless
options.HstsHeader
isnull
. -
Policies - The collection of policies for upgrading unsecured requests.