3

I am trying to enable HTTPS everywhere in my MVC application. In my FilterConfig.cs I have added the following line:

filters.Add(new RequireHttpsAttribute());

However, when navigating to the site, all functionality is available via HTTP, and HTTPS can only be used if the user explicitly specifies this in their browser's address bar.

When this line of code is present in my local version of the app, it stops working, and I can no longer use HTTP (as I would expect).

I am hosting the application on Azure. Am I missing something?

Improve this question
7
  • Did you follow the instructions for enable SSL to a project listed here? azure.microsoft.com/en-us/documentation/articles/… Commented Mar 11, 2015 at 16:40
  • Yeah, that only appears to enable SSL locally though. SSL appears to be enabled in Azure regardless of this setting, but not enforced, which is the behavior I'm trying to achieve. Commented Mar 11, 2015 at 16:56
  • You can add a URL redirect rule to redirect from http://* to https://*. It's literally the same. See stackoverflow.com/questions/1536120/… or similar. Commented Mar 11, 2015 at 16:59
  • Are you output caching at all? Commented Mar 11, 2015 at 17:10
  • 1
    Not really helpful but it should work. I have a number of azure websites with the RequireHttpsAttribute and this redirects from HTTP to HTTPS. Commented Mar 11, 2015 at 17:32

3 Answers 3

Reset to default
1

You could accomplish this by using the URLRewrite module. (Download is here)

Then you could just redirect all requests on port 80 to https using a rule in your web.config.

<rewrite>
<rule name="Redirect to HTTPS" stopProcessing="true">
    <match url="(.*)" />
    <conditions>
        <add input="{HTTPS}" pattern="^OFF$" />
    </conditions>
    <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Found" />
</rule>
</rewrite>

Note that you can change the redirectType to Permanent if you have search engine bots crawling your site and you are trying to maintain your SEO.

You can add this rule to your Release config so it is only enforced when you deploy to Azure. That way you can run locally on port 80 while you do your development.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

This seems like it's probably the best answer I'm going to get, although it's not ideal! I would much rather find out why the attribute isn't working.
Best I can offer there is to start with a blank MVC project, add the attribute and see if it works. If it does, try to figure out what the difference is.
Yeah I'll give that a shot and report back. Cheers. :)
1

I was using AllowAnonymous and OverrideAuthorization attribute on a few of my controllers and it seemed that this overrode RequireHttpsAttribute, which I had registered with my GlobalFilterCollection.

Improve this answer

Comments

0

Make sure you have an http endpoint and binding defined (in addition to the https endpoint and binding) in your csdef. Specifically:

<InputEndpoint name="HttpEndpoint" protocol="http" port="80" />

and

<Binding name="HttpEndpoint" endpointName="HttpEndpoint" />
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.