1

In ASP.NET Core, Microsoft recommends the use of the HTTPS Redirection and HSTS middlewares as opposed to a rewrite rule in IIS to redirect all HTTP requests to HTTPS.

From a DevOps perspective, the IIS rule was easy to enforce across applications. We just inject the rewrite section as part of the Web.Config during deployment forcing the apps to go over HTTPS. But with the middleware approach being a part of the code itself, it is now up to the individual application teams to implement the redirect.

Is there a way for us to enforce HTTPS redirection across applications while not straying too far away from Microsoft's recommendation?

Improve this question
4
  • The URL Rewrite module is still supported with ASP.NET Core running on IIS. If you're already using it for other purposes, and know that you're going to be running ASP.NET Core on an IIS server, continuing to use it for HTTPS redirection and HSTS enforcement shouldn't be a problem. I read Microsoft's recommendation as "You should really use HTTPS redirection and HSTS. The easiest way to accomplish that is by using these built-in method that works across platforms." For most people, that is better guidance than "If you're on IIS, install this separate module, and write more complex rules." Commented Apr 1, 2020 at 19:36
  • "In ASP.NET Core, Microsoft recommends the use of the HTTPS Redirection and HSTS middlewares as opposed to a rewrite rule in IIS to redirect all HTTP requests to HTTPS". From where did you get that impression? Clearly what Microsoft says in the Note section of that article indicates the reverse. Commented Apr 1, 2020 at 20:53
  • Thanks @JeremyCaney. That makes sense and that is exactly what we will do now. Commented Apr 1, 2020 at 23:21
  • 1
    @LexLi, The note talks about a reverse proxy configuration and I did not consider our in-process IIS server setup as a reverse proxy. Hence the question. Both Chris and Jeremy's comments have been helpful in my understanding. Commented Apr 1, 2020 at 23:30

1 Answer 1

Reset to default
4

Ironically, the reason the middleware approach is recommended is because it applies regardless of deployment method, whereas an IIS rewrite rule would only affect deployments to IIS. If you later decide to deploy one or more of these apps into cluster, for example, then, whatever IIS rewrite rules you might have had no longer apply. Setting it on the application level enforces the state for that application, not one specific deployment method. Also, keep in mind that not everything should necessarily be HTTPS. When deploying into a k8s cluster, for example, you'd often turn this off, because you'd be using SSL termination at the gateway instead.

There's no real way to enforce this middleware, nor should you, considering valid cases such as described above where it actually shouldn't be present. As always, indepedent review is always your best bet. When a new app goes into production, whether or not it should enforce SSL should be evaluated and should be enforced at that stage.

Also, FWIW, it doesn't have to be either or. You can employ both the middle and the IIS rewrite. In that case, the middleware will effectively never be utilized because all requests will always be HTTPS, because of the IIS rewrite, but if for some reason that piece is missing, the middleware is still there as a fallback.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks Chris for an excellent write-up! It does put things into perspective. The cluster configuration and SSL termination was something I wasn't aware of and one that I'll keep in mind. Appreciate you taking the time!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.