MVC RequireHttps whole site

To bring this answer up to MVC 3 and above , use the following in the Filterconfig.cs file in the App_start / p> folder

  filters.Add(new RequireHttpsAttribute()); 

Obviously, you will need IIS servers configured to use a valid SSL certificate, cheap certificates can be purchased here: https://www.namecheap.com/ I think the last time I bought one, it was $ 9 per domain per year.

This is not used by RequireHttps , but I think this is the best solution because it captures redirects faster in the MVC Lifecycle .

 public class RedirectModule : IHttpModule { private HttpApplication _context; public void Init(HttpApplication context) { _context = context; _context.PostResolveRequestCache += HttpRedirect; } public void HttpRedirect(Object src, EventArgs args) { if (_context.Request.Url.Scheme == Uri.UriSchemeHttp) { //Redirect to https var scheme = Uri.UriSchemeHttps + "://"; var authority = _context.Request.Url.Authority; var url = _context.Request.RawUrl; var redirectTo = scheme + authority + url; _context.Response.PermanentRedirect(redirectTo); } } public void Dispose() { } } 

The idea came from this article.

You can register the module in Web.config or inside Global.asax . I will show you in web.cofig.

 <system.webServer> <modules> <add name="ConfigModuleName" type="Your.Namespace.RedirectModule"/> </modules> </system.webServer> 

In your FilterConfig.cs apply this:

 public static void RegisterGlobalFilters(GlobalFilterCollection filters) { // only if Debug is not enabled, do not require https for local development if (!HttpContext.Current.IsDebuggingEnabled) filters.Add(new RequireHttpsAttribute()); //... any other filters } 

This should force your application to use https on every page.

MVC 6 (ASP.NET Core 1.0) is slightly different from the way filters are registered:

Startup.cs - AddMvc with filter for RequireHttpsAttribute :

 public void ConfigureServices(IServiceCollection services) { // TODO: Register other services services.AddMvc(options => { options.Filters.Add(typeof(RequireHttpsAttribute)); }); } 

Design solutions are discussed:

• Use a filter in Startup.cs for global configuration (since we want this to apply everywhere). The launch should be responsible for registering and configuring all global rules. If a new developer will work in your company, it expects to find a global setting in Startup.cs.
• Use the RequireHttpsAttribute logic as proven (Microsoft). Never use “magic” lines such as “http: //” and “https: //” when this can be avoided by reusing the Microsoft component created to provide the same logic.

If you use your MVC website in a local hosting without SSL:

• http : // localhost: 1337 / (without SSL)
• https : // localhost: 1337 / (SSL)

Consider starting without SSL on the local host, while requiring an https file .

Note:

As an alternative , we can create a "BaseController: Controller class" and make all our controllers inherit from the "BaseController" (instead of Controller). Then we only need to set the attribute 1 global location (and do not need to register the filter in Startup.cs).

Some people prefer attribute style.

Usage example:

 [RequireHttpsAttribute] public class BaseController : Controller { // Maybe you have other shared controller logic.. } public class HomeController : BaseController { // Add endpoints (GET / POST) for Home controller } 

In Global.asax.cs, use "RegisterGlobalFilters" to register global attributes.

 public static void RegisterGlobalFilters(GlobalFilterCollection filters) { filters.Add(new RequireHttpsAttribute()); //eg filters.Add(new HandleErrorAttribute()); //eg filters.Add(new System.Web.Mvc.AuthorizeAttribute()); }