Securing a .net core website the web.config way in IIS

Friction is very useful but also the thing that stops your customers getting you. The one piece of advice I can give everybody is make sure that your website does you proud. It doesn't mean your website will be liked by everybody, but you should be happy with it. For years, Info Rhino went through many versions and none of them were any good. Even now, the website needs improving and a lot of the content could be better but I am happy it has relevance.

Not having a secure website holds you back

The one thing I have learned is - most individuals are fixated on things which are irrelevant. Websites don't need to be secure if users aren't logging in, sharing information. Indeed, even if you share information there are many situations where this isn't harmful.

Despite all these excuses, I didn't set up a secure website. It was only when I spoke with my sheeple friend who said - ooh, the site isn't secure that I finally got around to doing it.

In my defence, my webhost requires my package is a higher grade package putting around £60 a year extra. Over several websites this adds up over the years but it is embarrassing that I hadn't done this before.

The way to implement Transport Layer Security in .net core using code

GlobalFilters.Filters.Add(new RequireHttpsAttribute());

Alternatively, this can be done in the configure services method...

public void ConfigureServices(IServiceCollection services)
services.Configure<MvcOptions>(options =>
options.Filters.Add(new RequireHttpsAttribute());

This involves rebuilding and deploying the application. Why do this?

Doing this in .net core but using web.config to avoid having to redeploy the application

Many using IIS coming from an ASP.Net or ASP.Net MVC find the whole .net core experience weird. This is because IIS is part of the request/response pipeline. 

However, I have found it easier to modify web.config than change the application code. Here are the basic steps;

  1. Install IIS Manager on a PC.
  2. Install IIS Remote Administration Manager.
  3. Install URL Rewrite module into the website you are connected to.
  4. Paste the section below into your web.config file. It is the redirect code needed to convert all http requests to https.

<rule name="HTTPS force" enabled="true" stopProcessing="true">
<match url="(.*)" />
<add input="{HTTPS}" pattern="^OFF$" />
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />


Yes, my first post in a while which isn't about the coronavirus scamdemic. I was quite pleased to find that when testing the site, everything works and it forces the padlock in the bar.

In addition to doing this for Info Rhino's website, I can now add the same to findigl my property platform website.

Further reading and notes


Add comment