How to redirect HTTP to HTTPS in MVC application (IIS7.5)
asp.net MvcHttpRedirectHttpsasp.net Mvc Problem Overview
I need to redirect my HTTP site to HTTPS, have added below rule but I am getting 403 Error when tried using http://www.example.com, it works fine when I type https://www.example.com in browser.
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
asp.net Mvc Solutions
Solution 1 - asp.net Mvc
You can do it in code:
Global.asax.cs
protected void Application_BeginRequest(){
if (!Context.Request.IsSecureConnection)
Response.Redirect(Context.Request.Url.ToString().Replace("http:", "https:"));
}
Or You could add the same code to an action filter:
public class SSLFilter : ActionFilterAttribute {
public override void OnActionExecuting(ActionExecutingContext filterContext){
if (!filterContext.HttpContext.Request.IsSecureConnection){
var url = filterContext.HttpContext.Request.Url.ToString().Replace("http:", "https:");
filterContext.Result = new RedirectResult(url);
}
}
}
Solution 2 - asp.net Mvc
In the Global.asax.cs
:
Simple redirect
protected void Application_BeginRequest()
{
if (!Context.Request.IsSecureConnection
&& !Context.Request.IsLocal // to avoid switching to https when local testing
)
{
// Only insert an "s" to the "http:", and avoid replacing wrongly http: in the url parameters
Response.Redirect(Context.Request.Url.ToString().Insert(4, "s"));
}
}
301 redirect: SEO best practice (Search Engine Optimization)
The 301 Moved Permanently
redirect status response code is considered a best practice for upgrading users from HTTP to HTTPS (see Google recommendations).
So if Google or Bing robots will be redirected too, consider this:
protected void Application_BeginRequest()
{
if (!Context.Request.IsSecureConnection
&& !Context.Request.IsLocal // to avoid switching to https when local testing
)
{
Response.Clear();
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", Context.Request.Url.ToString().Insert(4, "s"));
Response.End();
}
}
Solution 3 - asp.net Mvc
I use the following in Global.asax:
protected void Application_BeginRequest()
{
if (FormsAuthentication.RequireSSL && !Request.IsSecureConnection)
{
Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://"));
}
}
Solution 4 - asp.net Mvc
I have the following ASP.NET MVC rewrite rule in Web.config file:
You can try this code with web.config file. If your URL is http://www.example.com then it will be redirect to this URL https://www.example.com.
<system.webServer>
<rewrite>
<rules>
<rule name="http to https" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer>
Solution 5 - asp.net Mvc
You could use the RequireHttpsAttribute for simple cases.
[RequireHttps]
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
}
As stated in MSDN...
> "Represents an attribute that forces an unsecured HTTP request to be > re-sent over HTTPS."
I'm not sure you'd want to use this to enforce HTTPS across a large site though. Lots of decorating to do, and opportunity to miss controllers.
Solution 6 - asp.net Mvc
Use this code in web.config file for redirect http:// to https://
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTPS force" enabled="true" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
</system.webServer></configuration>
Solution 7 - asp.net Mvc
It's very simple. Just add one line in "Global.asax" file as below:
protected void Application_Start()
{
GlobalFilters.Filters.Add(new RequireHttpsAttribute(true));
}
If you would like to apply only server-side, not local side then apply following code:
protected void Application_Start()
{
if (!HttpContext.Current.Request.IsLocal)
GlobalFilters.Filters.Add(new RequireHttpsAttribute(true));
}
Hope it will help you :) Thank you!
Solution 8 - asp.net Mvc
I did it thusly, since a local debug session uses custom port numbers:
protected void Application_BeginRequest()
{
if (!Context.Request.IsSecureConnection)
{
if (HttpContext.Current.Request.IsLocal)
{
Response.Redirect(Context.Request.Url.ToString().Replace("http://localhost:25885/", "https://localhost:44300/"));
}
else
{
Response.Redirect(Context.Request.Url.ToString().Replace("http://", "https://"));
}
}
}
Preferably there would be some way to get the URL and SSL URL programmatically...
Solution 9 - asp.net Mvc
To force https only when the website is lunched on the server and ignore it while running the website on your machine for development :
In Global.asax :
You'll need the Application_BeginRequest() method
public class MvcApplication : System.Web.HttpApplication
{
protected void Application_Start()
{
// .....
}
//force https on server, ignore it on local machine
protected void Application_BeginRequest()
{
if (!Context.Request.IsSecureConnection && !Context.Request.Url.ToString().Contains("localhost"))
Response.Redirect(Context.Request.Url.ToString().Replace("http:", "https:"));
}
}
Solution 10 - asp.net Mvc
This answer is not exactly for OP but for those who could not make it work like me and have come across this (and although I know there is 403 not 404 error in OP), please refer to this answer if you are getting 404 instead: https://stackoverflow.com/a/6962829/5416602
Please check that you have binding for HTTP port (80) and not only HTTPS port (443) in your IIS
Solution 11 - asp.net Mvc
I'm unable to add comments, but thought this supplementary info would maybe help somebody.
I implemented the Global.asax idea with the 301 Permanent Redirect, and added http binding to the site in IIS. It still gave me 403 Forbidden until I remembered to untick "Require SSL" in SSL Settings.