Configuring HTTPS Redirection and HSTS in ASP.NET Core

Essentials of web security

When it comes to web security - HTTPS is one of the most important aspects and a starting point for almost every website.
HTTPS (Hypertext Transfer Protocol Secure) is an internet communication protocol that protects the integrity and confidentiality of data sent from the user's web browser to the website.
HTTPS encrypts data transferred over the internet, which helps to secure transactions, prevent hacking, and protect sensitive information.
This protocol is especially crucial for websites that handle sensitive data, such as e-commerce sites, online banking, and any site that requires login and password credentials.

Understanding HTTPS redirection and HSTS

HTTPS Redirection: is a technique where HTTP requests are automatically redirected to their HTTPS counterparts, ensuring that all communication between the client and server is encrypted.

HTTP Strict Transport Security (HSTS): is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks by forcing web browsers to access the website over HTTPS only.

Configuring HTTPS Redirection in ASP.NET Core

Asp.Net Core provides built-in support for HTTPS redirection using a middleware. Lets have a look how to setup it:

1. Ensure HTTPS is enabled
First, ensure that your Asp.Net Core application has an HTTPS endpoint. Check your appsettings.json and launchSettings.json.
Out of the box Asp.Net Core includes a self-signed certificate for development purposes. For production, make sure to provide a valid SSL certificate.

2. Configure HTTPS redirection middleware

Add UseHttpsRedirection middleware in Program.cs or Startup.cs inside Configure method (for old projects):

var builder = WebApplication.CreateBuilder(args);

var app = builder.Build();

app.UseHttpsRedirection();

await app.RunAsync();

By adding UseHttpsRedirection middleware you instruct your webapp to redirect all calls to HTTP endpoints to their HTTPS counterparts.

3. Configure temporary or permanent HTTPS redirection
The default behaviour of UseHttpsRedirection middleware can be adjusted by calling AddHttpsRedirection method when creating a DI container:

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddHttpsRedirection(options =>
{
    // options.RedirectStatusCode = (int)HttpStatusCode.TemporaryRedirect;
    // options.HttpsPort = 5001;
    options.RedirectStatusCode = (int)HttpStatusCode.PermanentRedirect;
    options.HttpsPort = 443;
});

var app = builder.Build();

app.UseHttpsRedirection();

await app.RunAsync();

Permanent redirection is recommended for production environments.

Configuring HSTS in ASP.NET Core

After configuring HTTPS redirection you can enable HSTS in Asp.Net Core to force web browsers to access the website over HTTPS only.

1. Enable HSTS middleware
Update your Program.cs or Startup.cs to add HSTS:

var builder = WebApplication.CreateBuilder(args);

var app = builder.Build();

app.UseHsts(); // Add this line
app.UseHttpsRedirection();

await app.RunAsync();

2. Adjust default HSTS settings

The default behaviour of UseHsts middleware can be adjusted by calling AddHsts method when creating a DI container:

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddHsts(options =>
{
    options.Preload = true;
    options.IncludeSubDomains = true;
    options.MaxAge = TimeSpan.FromDays(60);

    options.ExcludedHosts.Add("test.com");
});

var app = builder.Build();

app.UseHttpsRedirection();

await app.RunAsync();

Summary

Configuring HTTPS is crucial for enhancing website security.
HTTPS ensures that all traffic between web browser and server is encrypted, which helps to secure transactions, prevent hacking, and protect sensitive information.

In Asp.Net Core you can configure HTTPS redirection ensuring that all traffic is secured.

To make a step further in web security - HSTS can be enabled to force web browsers to access the website over HTTPS only.
Asp.Net Core is extensible in this part and you can adjust HTTPS redirection and HSTS settings to match your needs.

Hope you find this blog post useful. Happy coding!

Originally published at https://antondevtips.com.

After reading the post consider the following:

• Subscribe to receive newsletters with the latest blog posts
• Download the source code for this post from my github (available for my sponsors on BuyMeACoffee and Patreon)

If you like my content —  consider supporting me

Unlock exclusive access to the source code from the blog posts by joining my Patreon and Buy Me A Coffee communities!