Best IT Recipes

Require SSL in WebApi?

Is there a way to require SSL for WebApi? Attribute?

I do not see the applicable attribute in System.Web.Http , something like the RequireHttps attribute that we have for MVC. I'm just trying to avoid dragging my own attribute / message handler if there is a built-in solution.

+61
ssl asp.net-web-api
Jun 29 '12 at 16:40
source share
6 answers

You can use RequireHttpsHandler from the WebAPIContrib project. Basically, all he does is check the URI scheme of the incoming request:

 if (request.RequestUri.Scheme != Uri.UriSchemeHttps) { // Forbidden (or do a redirect)... }

Alternatively, Carlos Figueira has another implementation on his MSDN blog.

+40
Jun 29 2018-12-12T00:
source share
 public class RequireHttpsAttribute : ActionFilterAttribute { public override void OnActionExecuting(HttpActionContext actionContext) { if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps) { actionContext.Response = new HttpResponseMessage(HttpStatusCode.Forbidden); } } }
+47
May 01 '13 at 9:37
source share

It is not clear that there is no equivalent to the ASP.NET MVC RequireHttps attribute in the ASP.NET Web API. However, you can easily create it based on RequireHttps from MVC.

 using System; using System.Net.Http; using System.Web.Http.Controllers; using System.Web.Http.Filters; ... public class RequireHttpsAttribute : AuthorizationFilterAttribute { public override void OnAuthorization(HttpActionContext actionContext) { if (actionContext == null) { throw new ArgumentNullException("actionContext"); } if (actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps) { HandleNonHttpsRequest(actionContext); } else { base.OnAuthorization(actionContext); } } protected virtual void HandleNonHttpsRequest(HttpActionContext actionContext) { actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden); actionContext.Response.ReasonPhrase = "SSL Required"; } }

All that remains to be done is to argue how much redundant code exists.

+19
Sep 12 '13 at 2:59
source share

you can use the following filter class to force your action method to use SSL, this will process your request wither its GET method or any other verb if its get method redirects the browser (using the location header) to the new URI. Otherwise, a message using https will be displayed.

The code below shows that you should override the OnAuthorization method after inheriting from AuthorizationFilterAttribute.

  string _HtmlBody = string.Empty; UriBuilder httpsNewUri; var _Request = actionContext.Request; if (_Request.RequestUri.Scheme != Uri.UriSchemeHttps ) { _HtmlBody = "<p>Https is required</p>"; if (_Request.Method.Method == "GET"){ actionContext.Response = _Request.CreateResponse(HttpStatusCode.Found); actionContext.Response.Content = new StringContent(_HtmlBody, Encoding.UTF8, "text/html"); httpsNewUri = new UriBuilder(_Request.RequestUri); httpsNewUri.Scheme = Uri.UriSchemeHttps; httpsNewUri.Port = 443; //To ask a web browser to load a different web page with the same URI but different scheme and port actionContext.Response.Headers.Location = httpsNewUri.Uri; }else{ actionContext.Response = _Request.CreateResponse(HttpStatusCode.NotFound); actionContext.Response.Content = new StringContent(_HtmlBody, Encoding.UTF8, "text/html"); } }
+2
Jan 03 '15 at 13:32
source share

You can use the following code; (automatically redirect to https) redirect to https when an http-based request is made.

To test this in visual studio, you need to enable ssl in visual studio. This can be done using the ssl property for true.

 public class RequireHttpsAttribute: AuthorizationFilterAttribute { public override void OnAuthorization(HttpActionContext actionContext) { if(actionContext.Request.RequestUri.Scheme != Uri.UriSchemeHttps) { // constructing the https url var uriBuilder = new UriBuilder(actionContext.Request.RequestUri) { Scheme = Uri.UriSchemeHttps, Port = 44353 // port used in visual studio for this }; actionContext.Response.Headers.Location = uriBuilder.Uri; } } }

Use it in a Register method like this

 config.Filters.Add(new RequireHttpsAttribute());
+1
Jun 27 '17 at 2:38 on
source share

After some research, I determined that this is probably the most appropriate answer. It can be updated to provide json, text or xml, although the specification indicates that HTML is recommended.

 public class RequireHttpsAttribute : AuthorizationFilterAttribute { public override void OnAuthorization(HttpActionContext context) { if (context.Request.RequestUri.Scheme != Uri.UriSchemeHttps) { context.Response = new HttpResponseMessage(HttpStatusCode.UpgradeRequired); context.Response.Headers.Add("Upgrade", "TLS/1.1, HTTP/1.1"); context.Response.Headers.Add("Connection", "Upgrade"); context.Response.Headers.Remove("Content-Type"); context.Response.Headers.Add("Content-Type", "text/html"); context.Response.Content = new StringContent("<html><head></head><body><h1>Http protocol is not valid for this service call.</h1><h3>Please use the secure protocol https.</h3></body></html>"); } else base.OnAuthorization(context); } }

Here is the specification: RFC 2817

0
Sep 25 '17 at 0:53 on
source share


More articles:


All Articles