Forcing your Site to Load over HTTPS with Redirects

Follow

After installing an SSL certificate, you still need update your website to force all traffic to load over HTTPS. One way to do this is to add server-side redirects.

You can do this one of two ways:

  1. Add a URL Rewrite rule in your web.config in the site code to handle this. This is the recommended approach since it will be more performant and ensure that the HTTPS logic is contained within the application logic and modifications to that can be tracked through source control. You can also ensure the Strict-Transport-Security response header is sent.

  2. Add wildcard URL Redirections within Agility. This is the quickest way, but slightly less performant and does not required any changes to the website code. However, these URL redirections could be accidentally removed by a user in Agility, and potentially cause major security risks.

Adding a URL Rewrite Rule

In your main Web.config, ensure you have an empty <rewrite> element so that you can add rules in your staging/release transforms.

Web.config:

<system.webServer>
<rewrite>
      <rules></rules>
      <outboundRules></outboundRules>
    </rewrite>
...
</system.webServer>

Next, in your staging/release transform (Web.Staging/Web.Release.config), add the following:

<system.webServer>
    <rewrite>
      <rules>
        <rule name="HTTP to HTTPS redirect" stopProcessing="true" xdt:Transform="Insert">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}"
              redirectType="Permanent" />
        </rule>
      </rules>
      <outboundRules>
        <rule name="Add Strict-Transport-Security when HTTPS" enabled="true" xdt:Transform="Insert">
          <match serverVariable="RESPONSE_Strict_Transport_Security"
              pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" ignoreCase="true" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000" />
        </rule>
      </outboundRules>
    </rewrite>
</system.webServer>

IMPORTANT: This will also apply an HTTP to HTTPS redirect for the AgilityWebsiteService.svc endpoint on your server. Ensure that your Syncing Webserver in Agility is updated to sync over HTTPS by default so it avoids the redirect. If you have any trouble syncing over HTTPS after this update, you may need to update your web.config appropriately. Likely, you are missing the SSL bindings for the WCF service in your web.config. Please see HTTPS Syncing with Agility for the code you'll need to update in your web.config.

Adding Wildcard Redirects in Agility

In Agility, navigate to Settings > Url Redirections and add the following redirect rules:

  1. Origin = http://{your-domain}.com, Destination = https://{your-domain}.com
  2. Origin = http://your-domain}.com/*, Destination = https://{your-domain}.com/* 

After adding the redirects, any page requests matching that domain will be redirected from HTTP to HTTPS. Please note however, that this is less performant than adding the logic in the code and there is not Strict-Transport-Security header.

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.