If you’ve been on the world wide web for a while you may have noticed an uptick in sites that have a URL that begins with HTTPS versus HTTP. HTTPS is the secure version of HTTP. HTTP is the protocol through which data is passed between a web browser, like Chrome or Firefox, and a website. The S in HTTPS stands for “Secure” as in this website has a secure connection.
When you visit a webpage in your browser and you visit an HTTPS site you request its SSL certificate. The certificate holds a key that the browser unlocks to create a secure session while visiting that website. The SSL certificate is one time use only and creates a unique secure connection to the website.
When you visit a site via HTTP all communication takes place over plain text and this can be read fairly easily by any hacker that breaks the connection between your browser and the website.
HTTPS is valuable because it protects all communication and customer information. HTTPS also works to legitimize any site that uses it because businesses that use HTTPS can be verified. In the case of any e-commerce site, in particular, customers will feel safer shopping there.
Today there isn’t much content that website users or creators want passed over the web that isn’t fairly secure and generally they would rather a website have a secure connection versus not. So, website creators are making sure that their sites are HTTPS versus HTTP, even if they run a fairly innocuous informational site about dog breeds, for instance.
HTTPS sites are also more common these days because its become much simpler and cheaper to set it up. It’s possible to get the certificate for free from multiple sources and also many web hosting site packages come with HTTPS already as the default protocol.
Simple Way to Redirect HTTP to HTTPS
Before getting started you need an ASP.NET Web Application running on IIS. If you like using the Cloud Providers or shared hosting provider, this same technique will also work and will require less maintaince.
Web.Config Rewrite
Add the following code inside the <system.webServer> node of the web.config XML
<rewrite>
<rules>
<rule name="HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>The IIS Rewrite rule to force all traffice to HTTPS is very powerful but sometimes you want most of your traffic re-written and not all of your traffic.
If you are using Let’s Encrypt, for example we use Let’s Encrypt on ASPHostPortal hosting, you can easily tick URL redirection on their control panel. The Let’s Encrypt ASPHostPortal Web App extension requires an unsecure HTTP request to be made to a folder called .well-known. If my ASPHostPortal Web App only serves HTTPS traffic Let’s Encrypt will fail everytime you try to renew.
Rewrite Exceptions
Adding an exception to the rewrite is very easy, just add the following line to the conditions
<add input="{REQUEST_URI}" pattern=".well-known/" negate="true"/>Here is the complete Rewrite Rule with the exception
<rewrite>
<rules>
<rule name="HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
<add input="{REQUEST_URI}" pattern=".well-known/" negate="true"/>
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>Happy Coding!
