Razor Pages are a new feature of ASP.NET Core 2.0 that makes coding page-focused scenarios easier and more productive. Razor Pages are introduced with the intent of creating page focused scenarios where there is no real logic is involved. You can find all my razor pages posts here. The latest version (2.1) of ASP.NET Core supports HTTPS by default, but at the time of writing this post, it is still in the preview release. You can find all my ASP.NET Core 2.1 posts here. The app built on ASP.NET Core 2.0 version needs to be secured manually. In this post, we will see how to enforce HTTPS in ASP.NET Core Razor Pages applications.
Enforce HTTPS in ASP.NET Core Razor Pages
There are 2 ways to enforce HTTPS in ASP.NET Core Razor Pages.
- RequireHttps Attribute
- URL Rewriting
RequireHttps Attribute
The RequireHttps
attribute is an authorization filter that confirms requests are received over HTTPS. If the request comes via HTTP, it will be redirected to the HTTPS version of the request URI if the GET method was used. The attribute can be applied to a PageModel
class or globally for the application. You can apply to the PageModel
class like,
[RequireHttps] public class ContactModel : PageModel { public string Message { get; set; } public void OnGet() { Message = "Your contact page."; } }
The recommended approach to apply the RequireHttps
attribute as a global filter in the ConfigureServices
method. you can apply globally in the Startup.cs
.
public void ConfigureServices(IServiceCollection services) { services.AddMvc(); services.Configure<MvcOptions>(options => { options.Filters.Add(new RequireHttpsAttribute()); }); }
So when the request comes from HTTP, the redirection happens to HTTPS. This results in 302 status code indicates that the item has been moved temporarily to a different URL to the one originally used in the request (no 301). To fix this, set the permanent property of the RequireHttps
attribute to true:
services.Configure<MvcOptions>(options => { options.Filters.Add(new RequireHttpsAttribute{Permanent = true}); });
URL Rewriting
The other way is to use URL Rewriting. You can activate rewriting within the Configure
method:
public void Configure(IApplicationBuilder app, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseBrowserLink(); app.UseDeveloperExceptionPage(); } else { app.UseExceptionHandler("/Error"); var options = new RewriteOptions().AddRedirectToHttps(); app.UseRewriter(options); } app.UseStaticFiles(); app.UseMvc(); }
The above code adds the URL rewriting to the pipeline when the environment is not Development. If you also want in the Development environment, then put the rewriting code outside the if/else
block.
Similar to the RequireHttps
filter, the URL Rewrite approach also provides an option to issue 301 moved permanently status codes instead of 302:
var options = new RewriteOptions().AddRedirectToHttpsPermanent(); app.UseRewriter(options);
Please note that if you run this application on IISExpress, it will not work because we have not configured IIS Express to allow SSL. To Enable SSL, right-click on Project -> select properties -> navigate to debug tab. On debug tab, check Enable SSL option.
That’s it.
To conclude, we just saw that it’s easy to enforce HTTPS in ASP.NET Core application. With ASP.NET Core 2.1, we don’t have to worry about this.
Thank you for reading. Keep visiting this blog and share this in your network. Please put your thoughts and feedback in the comments section.
Hi
Have you had any success with 2.1 and Https and Docker? If so, any chance of an example?
Cheers
No, I haven’t tried it yet.