How to enforce SSL in ASP.NET Core

Without SSL, data is transmitted in plain text, making it vulnerable to interception and readable by hackers.

SSL ensures that data exchanged between the server and client is encrypted, making sensitive information (like usernames, passwords, and credit card details) unreadable to anyone without the proper SSL certificate and encryption key.

First, let's create an ASP.NET Core project.

This will create a new ASP.Net Core application in Visual Studio with SSL enabled, and the default templates will include the necessary middleware components in the Startup.cs file.

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        // configure your middleware here
    }
    else
    {
        app.UseHsts();
    }
    app.UseHttpsRedirection();
}

The modified Configure method uses the UseDeveloperExceptionPage to capture exceptions and generate HTML error responses in a development environment.

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }
    else
    {
        app.UseHsts();
    }
    app.UseHttpsRedirection();
    app.UseMvc();
}

In a production environment, you should configure the middleware to redirect all HTTP requests to HTTPS.

Redirect HTTP requests to HTTPS in ASP.NET Core

Open the Startup.cs file and include the following code in the ConfigureServices method. Notice how the AddHttpsRedirection method is used to configure the middleware options.

In this example, the HTTPS port is set to 5001, while the default is 443.

services.AddHttpsRedirection(options =>
{
    options.RedirectStatusCode = StatusCodes.Status308PermanentRedirect;
    options.HttpsPort = 5001;
});

Use HSTS in ASP.NET Core for enhanced security

HTTP Strict Transport Security (HSTS) is an opt-in security feature that helps protect websites from man-in-the-middle attacks by enforcing HTTPS connections. It is specified via a response header and ensures that browsers cache certificates for a specific host for a set time. However, HSTS has limitations, including the need for client support and at least one successful HTTPS request to establish the policy.

The following code snippet shows how to configure HSTS in the ConfigureServices method.

services.AddHsts(options =>
{
     options.Preload = false;
     options.IncludeSubDomains = false;
     options.MaxAge = TimeSpan.FromDays(30);
});

When running your project, you'll be prompted to trust the self-signed certificate generated by IIS Express. After confirming and installing the certificate, you'll see HTTPS in the URL when you run the application in a browser.

For production, a valid certificate from a trusted certificate authority should be purchased and installed. HTTPS not only encrypts traffic but also prevents content modification, while HSTS ensures browsers only use secure HTTPS connections.