Introduction
HTTPS could be configured with ASP.NET Core before the .NET Core Framework 1.1, but it was tricky to configure. It was made easier to configure in 2.0, however, not by default. In this article, we will learn how to configure HTTPS and how to customize it.
When we create a web application with Visual Studio, we have an option to configure our application for HTTPS.
When we create the application using CLI, by default, the web application configures for HTTPS. Using the following command, we can turn off HTTPS.
- >dotnet new mvc --no-https
When we run this application either on IIS Express or Kestrel, it is listening on two ports, one for HTTP and other for HTTPS.
HTTP Strict Transport Security Protocol (HSTS)
When we look at the Configure method of Startup class, some new middleware is used to prepare this web to configure HTTPS. One of them is HSTS.
HTTP Strict Transport Security (HSTS) is a web security policy which helps to protect web application against cookie hijacking and downgrade protocol attacks. It allows the web server to communicate with the client over secure HTTPS connections, never on insecure HTTP protocol. It helps to reject insecure connections in the first place.
- public void Configure(IApplicationBuilder app,, IHostingEnvironment env)
- {
- ...
- ...
- if (!env.IsDevelopment())
- {
- ...
- app.UseHsts();
- ...
- }
- ...
- ...
- app.UseMvc();
- }
UseHsts is not recommended to use in development environment because HSTS header is cacheable by the browsers. Based on our requirement, we can configured HSTS.
We can configure the following HSTS options:
- MaxAge
Set the max age of Strict-Transport-Security header. It default value is 30 days. It is TimeSpan type of parameter.
- IncludeSubDomains
It is a boolean type of property that enables includeSubDomain parameter of the Strict-Transport-Security header.
- Preload
It is used to get or set the preload parameter of the Strict-Transport-Security header. Preload is not part of the RFC HSTS specification, but supported by the browsers to preload HSTS sites on a fresh installation.
Apart from this, we can also add the list of hostnames that will not add the HSTS header.
- public void ConfigureServices(IServiceCollection services)
- {
- services.AddMvc();
-
- services.AddHsts(options =>
- {
- options.IncludeSubDomains = true;
- options.Preload = true;
- options.MaxAge = TimeSpan.FromDays(120);
- options.ExcludedHosts.Add("TestDomain.com");
- });
- }
Https Redirection
Another middleware added by default redirects all the requests on insecure http to secure http. In the above example, all the calls from "http://localhost:5000" are immediately redirected to "https://localhost:5001". This can be referred to as an enforced HTTPS.
- public void Configure(IApplicationBuilder app)
- {
- ...
- ...
- app.UseHttpsRedirection();
- app.UseMvc();
- }
The method UseHttpsRedirection uses default redirect status code (Status307TemporaryRedirect) and default https port (443). We can add the AddHttpsRedirection method to configure middleware option for default status code and https port.
- public void ConfigureServices(IServiceCollection services)
- {
- services.AddMvc();
- ...
- ...
- services.AddHttpsRedirection(options =>
- {
- options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
- options.HttpsPort = 5001;
- });
- }
Alternatively, we can specify the HTTPS port by using configuration or the ASPNETCORE_HTTPS_PORT environment variable. This can be very useful when HTTPS is being handled from external applications such as IIS. For example, the project template adds ASPNETCORE_HTTPS_PORT environment variable to the IIS Express launch profile (launchSettings.json), so that it matches the HTTPS port setup for IIS Express.
Summary
This new feature will make it easier to use HTTPS during development and in production. You can view or download the source code from the GitHub
here.