Enforcing SSL in an ASP.NET Core app

By Rick Anderson

This document shows how to:

  • Require SSL for all requests (HTTPS requests only).
  • Redirect all HTTP requests to HTTPS.

Require SSL

The RequireHttpsAttribute is used to require SSL. You can decorate controllers or methods with this attribute or you can apply it globally as shown below:

Add the following code to ConfigureServices in Startup:

// Requires using Microsoft.AspNetCore.Mvc;
public void ConfigureServices(IServiceCollection services)
{
    services.Configure<MvcOptions>(options =>
    {
        options.Filters.Add(new RequireHttpsAttribute());
    });

The highlighted code above requires all requests use HTTPS, therefore HTTP requests are ignored. The following highlighted code redirects all HTTP requests to HTTPS:

// Requires using Microsoft.AspNetCore.Rewrite;
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    loggerFactory.AddConsole(Configuration.GetSection("Logging"));
    loggerFactory.AddDebug();

    var options = new RewriteOptions()
       .AddRedirectToHttps();

    app.UseRewriter(options);

See URL Rewriting Middleware for more information.

Requiring HTTPS globally (options.Filters.Add(new RequireHttpsAttribute());) is a security best practice. Applying the [RequireHttps] attribute to all controller is not considered as secure as requiring HTTPS globally. You can't guarantee new controllers added to your app will remember to apply the [RequireHttps] attribute.

Set up IIS Express for SSL/HTTPS

See Setting up HTTPS for development in ASP.NET Core.