Introduction
In this article, you will see how we can enable HTTPS in ASP.NET Web API. We will start by discussing all the steps required to enable HTTPS in ASP.NET web API. And then we will discuss all the steps in detail. Also, you will see how we can enable HTTPS support for the development server.
Steps to enable HTTPS in ASP.NET Web API
- Write a custom class which is inherited from AuthorizationFilterAttribute
- Register that class in ASP.NET Web API Config
- Apply [RequireHttps] attribute on API controller actions.
- Create a temporary certificate for SSL.
- Install the certificate
- Enable HTTPS support to the development server in Visual Studio.
Write a custom class which is inherited from AuthorizationFilterAttribute
Write a custom class as shown below.
public class RequireHttpsAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "HTTPS Required for this call"
};
}
else
{
base.OnAuthorization(actionContext);
}
}
}
Register that class in ASP.NET Web API Config
To register a custom HTTP filter class in web API configuration here are the settings.
// Web API configuration and services
config.Filters.Add(new RequireHttpsAttribute());
Remember this is a global setting and will require all controller methods to run on HTTPS.
If we want to have a few methods to run on HTTP then in that case, just disable this setting. And use the [Requirehttps] attribute for individual methods.
Apply [RequireHttps] attribute on API controller actions.
[RequireHttps]
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
Note. We need to use this [RequireHttps] attribute only in case we need to enable HTTPS only for selective API controller actions. Otherwise, Web API configuration global settings are enough.
But if we are targeting only a few API methods to run on HTTPS then we must disable the global configuration. Otherwise, all method calls will demand HTTPS.
Create a temporary certificate for SSL
To create a temp certificate run the following command in the command prompt.
makecert.exe -n "CN=Development CA" -r -sv TempCA.pvk TempCA.cer
Once the certificate is created it will be saved on your machine at the path selected in the command prompt windows.
Now, we need to install it.
Install the certificate
To install the certificate on your local machine, you need to do the following steps.
- Open the MMC (Management console) window
- Then go to File - > Add or Remove Snap Ins
- Then select Certificates from available Snap Ins
- Then click on the ADD button
- Then select Computer account in the window pane that opens
- Then select Local Computer Account
- Then click next and OK
Now the certificate snap is added to MMC.
Now we need to install the certificate by selecting it in a snap.
For that,
- Go to Certificates; expand it.
- Then Select “Trusted root certification Authorities”
- Then Select Action - > All Tasks - > Imports
- Select the certificate and finish.
Now, a temporary certificate is installed on your computer.
This certificate will be used for SSL communication on your machine, but apart from installation, you don't need to do anything with respect to certificates.
Now, the next step is to enable HTTPS for the development server.
Enable HTTPS support to the development server in Visual Studio
For that do the following.
- Open your web API solution in Visual Studio,
- Then select the web API project in Solution Explorer.
- Select View Menu in Visual Studio
- Now select “Properties window” or click F4.
- A window pane will open.
- There select the “SSL Enabled” property and set it to true
Now, the development server is ready to work with HTTPS too.
Summary
So, in this article, we discussed how we can make a web API run on HTTPS. For that we discussed all the steps required in detail, like writing a custom class, using the RequiredHttps filter class, and registering this class in API configuration, then we also provided details on installing a temp certificate and using it and finally enabling HTTPS support for development in Visual Studio.
Web API Book