Normally configuring HTTPs properly on web project is a headache, we need lots of code on different places or need to handle through different tools. But in Asp.net Core (2.0 or higher) its super easy to configure. In fact, we don’t have to configure its already there we just need to understand.
Before dive straightly into this river let’s briefly talk about https first.
HTTPS is also a stateless protocol. It secure and protect your user’s communication with your website. Ok but how? HTTPS uses TLS. TLS does many things but three main things Authentication, Encryption, and Data integrity which prevent lots of attacks like man-in-the-middle attack (MITM) etc. Currently TLS 1.2 is recommended version.
In which application we should use it? Should we use in all web application?
There are lots of recommendations, videos and blogs on it but to understand it in simple words, I must say if your project or website is just a public gallery, public blog or a portfolio you don’t really need HTTPS but if your website or project dealing with payments, finance, privacy, communication and SAAS type then go-ahead HTTPS is your need. in very sensitive environments we take even extra measures for security but for now let’s stick to HTTPS.
Is any website with https protocol secure? Just enable https and everything is secured?
No, absolutely not, just enabling HTTPS assigning 443 port, binding doesn’t secure your website/Project. It rather throws Not Secure warning on Browser.
Here is an example
You need a license for HTTPS. When you have a license, and everything is good your site should looks like this in browser.
Where to get license?
ok license! But where to get it? How to get it? Many of hosting providers like GoDaddy, 1&1 and cloud solutions like amazon and Azure provide you this option out of box. But you can buy your own from namecheap and CloudFlare etc.
Pocket can’t afford license cost? Looking for freebees?
yes here is good news, you can get free license from LetsEncrypt. I’m personally using it with Plesk. Its super easy to get and apply license on your website.
Don’t stop here, as we developer always do, Lets also ask google, what are best practices for implementing HTTPS.
Now Come back to ASP.Net Core 2.1
Lets create a new web project. Select .NET Core > Asp.Net Core Web Application. Give name of solution and directory and press ok.
Mark configure HTTPS and press ok
Now project is created. Lets confirm some important things first. Right click on Web Project and go to properties. go to Debug section and verify Enable SSL is marked and URL is available.
You can also verify and change these settings like sslPort and ApplicationURL etc. from Properties > launchSettings.json in solution Explorer.
now checkout Configure Method in startup.cs, you will see app.UseHttpsRedirection();
this is where real magic is happening. Lets run application without changing anything.
You are going to encounter “This site is not secure” Error. No, you haven’t done anything wrong, this was expected. As I explained above about HTTPS Certificates, we need a certificate, but you don’t have any yet. That’s why you are getting this error. But we don’t need any for development we can ignore this by clicking “Go on to the webpage (Not recommended)”
Congratulation! you got it. That’s all you need to do to enable https in development. Also note the URL https://localhost:44314/ the 44314 is SSL port we saw in lunchsetting.json. Now you can get all benefits of HTTPS in development and configure your application accordingly.
Lets do some fun stuff with this project. Let suppose we don’t want whole application on HTTPS but some selective pages. Lets comment out app.UseHttpsRedirection(); line from startup.cs and run Application again but this time use Application URL(you can find it in LunchSettings.json) in my case it is http://localhost:58783.
Now your application is not globally using HTTPS, so we can configure desired Controller for HTTPS.
let’s go to controller folder open HomeController. And I just want HomeController to run on HTTPS and all other on HTTP just add [RequireHttps] on Controller and that’s it. Now your controller is enforced to use HTTPS.
Play around and come back i’ll be posting more stuff related to Asp.net Core and more