2

I was going through official documentation to enforce HTTPS in ASP.NET Core. There I found a warning -

Do not use RequireHttpsAttribute on Web APIs that receive sensitive information. RequireHttpsAttribute uses HTTP status codes to redirect browsers from HTTP to HTTPS. API clients may not understand or obey redirects from HTTP to HTTPS. Such clients may send information over HTTP. Web APIs should either:

  1. Not listen on HTTP.
  2. Close the connection with status code 400 (Bad Request) and not serve the request.

What I know about [RequireHttps] attribute is It set 302 Found code and a redirect url. something like this - 

GET http://api.example.com/values

302 Found
Location: https://api.example.com/values

On the other hand, official documentation recommends to use -

HTTPS Redirection Middleware (UseHttpsRedirection) to redirect HTTP requests to HTTPS.

  • Uses the default HttpsRedirectionOptions.RedirectStatusCode (Status307TemporaryRedirect).

What I understood from this, it also redirects HTTP to HTTPS, with different status code 307.

To me they are doing similar thing. I don't clearly understand what benefit I am getting using HTTPS Redirection Middleware (UseHttpsRedirection) over RequireHttps Attribute. What I am missing here ?

Improve this question

1 Answer 1

Reset to default
1

I was going through official documentation to enforce HTTPS in ASP.NET Core.

What I know about [RequireHttps] attribute is It set 302 Found code and a redirect url.

On the other hand, official documentation recommends to use HTTPS Redirection Middleware (UseHttpsRedirection)

To me they are doing similar thing.

I suppose that the information you mentioned is from this official doc about "Enforce HTTPS in ASP.NET Core".

As we know, for Web APIs scenario, API client (consumer/caller App) could be not browser client, which would not understand or obey redirection from HTTP to HTTPS via HTTP status codes. We should avoid our API endpoint response client with redirection status codes, so as warning part suggested "Do not use RequireHttpsAttribute on Web APIs that receive sensitive information".

And in warning part it also shows two approaches to reject insecure HTTP requests for Web APIs: 1) not expose HTTP endpoints; 2) return an error code. In my view, talking about "reject insecure HTTP requests for Web APIs scenario" is over here.

Besides, we should note that topic of this doc is about redirecting HTTP requests to HTTPS in ASP.NET Core, RequireHttpsAttribute could be applied to specific controller/action(s), to enforce HTTPS for entire ASP.NET Core web apps, using HTTPS Redirection Middleware is recommended (not mean that we should use this Middleware to reject insecure HTTP requests for Web APIs).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

so this is what I understand from your answer (correct me if I am wrong), the recommend approach is don't let the request go to api endpoint and then redirect, rather use middleware to do the redirecition.
As doc mentioned "No API can prevent a client from sending sensitive data on the first request". And the recommend approaches are: 1) Not listen on HTTP; 2) return an error code and not serve the Non-HTTPS request.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.