Coder Perfect

How to force HTTPS using a web.config file


I looked on Google and StackOverflow for a solution, but they all seemed to be about ASP.NET or something similar.

On my servers, I generally use Linux, but for this one client, I’m using Windows with IIS 7.5. (and Plesk 10). As a result, I’m only somewhat aware with IIS and web.config files. You can use rewrite conditions in an.htaccess file to determine whether the protocol is HTTPS and redirect accordingly. Is there a simple method to accomplish this with a web.config file or the ‘URL Rewrite’ module that I installed?

I’m not familiar with ASP.NET, so if it’s part of the solution, please provide detailed instructions on how to implement it.

I’m doing this with web.config rather than PHP since I’d like to force HTTPS on all assets within the site.

Asked by Ben Carey

Solution #1

You’ll need the URL Rewrite module, preferably the v2 version (I have no v1 installed, so cannot guarantee that it will work there, but it should).

Here’s an example of a web.config that uses 301 Permanent Redirect to force HTTPS for ALL resources:

<?xml version="1.0" encoding="UTF-8"?>
                <clear />
                <rule name="Redirect to https" stopProcessing="true">
                    <match url=".*" />
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />

P.S. This solution has nothing to do with ASP.NET/PHP or any other technology because it is implemented solely through the URL rewriting module — which is handled at one of the initial/lower levels — before the request reaches the point where your code is performed.

Answered by LazyOne

Solution #2

For individuals who work with ASP.NET MVC. To compel all responses to be HTTPS, use the RequireHttpsAttribute:

GlobalFilters.Filters.Add(new RequireHttpsAttribute());

Other things you could do to help safeguard your site include:

Answered by Muhammad Rehan Saeed

Solution #3

Here’s an annotated version of LazyOne’s answer to go along with it.

     <clear />
     <rule name="Redirect all requests to https" stopProcessing="true">
       <match url="(.*)" />
         <conditions logicalGrouping="MatchAll">
           <add input="{HTTPS}" pattern="off" ignoreCase="true" />
            type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" 
            redirectType="Permanent" appendQueryString="false" />

Delete any additional rules that may have already been set up on this server. Make a new rule called “Redirect all requests to https” and save it. Do not process any additional rules after this one has been processed! All incoming URLs must be matched. Then see if all of the following conditions are met: HTTPS is disabled. That’s the sole stipulation (but be sure it’s true). If that’s the case, send the client a 301 Permanent Redirect to Don’t include the query string at the end of that because it will be duplicated!

This explains the meaning of the characteristics, attributes, and some of the values.

The variables on the server are

See also:

Answered by Shaun Luttin

Solution #4

I couldn’t use the accepted solution because it didn’t work for me. I followed the instructions on this website.

A key point that was missing for me was that I needed to download and install the URL Rewrite Tool for IIS. I found it here. The result was the following.

            <remove name="Http to Https" />
            <rule name="Http to Https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
                <match url="*" />
                    <add input="{HTTPS}" pattern="off" />
                <serverVariables />
                <action type="Redirect" url="https://{HTTPS_HOST}{REQUEST_URI}" />

Answered by Eric

Solution #5

Follow the steps at in.Net Core.

Add the following to your startup.cs file:

// Requires using Microsoft.AspNetCore.Mvc;
public void ConfigureServices(IServiceCollection services)
    services.Configure<MvcOptions>(options =>
        options.Filters.Add(new RequireHttpsAttribute());
    });`enter code here`

Add the following to the startup.cs file to redirect Http to Https.

// Requires using Microsoft.AspNetCore.Rewrite;
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)

    var options = new RewriteOptions()


Answered by Oracular Man

Post is based on